Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

• !! Understanding UAC !!
• A Referral was Returned From the Server
• Admin Privilege OK in WinBatch, but not Compiled
• Cmd Prompt Run As Administrator
• Determine if Application is Elevated
• Elevation Level and Environment Varibles
• FileCopy and UAC
• Installation Scripts
• Installing a program using Compatibility Mode
• Mapped Drives Issue with UAC
• Protected Directories
• Run As Admin WinBatch Script With UAC On
• RunWithLogon and UAC
• Scheduled Tasks
• SendKey and UAC
• Signing and Certificates
• StartUp No Prompt
• UAC Administrator Account
• UAC and WinBatch Studio
• UAC Help
• UAC Local System Account
• Unknown Publisher
• wntAccessAdd 64-bit Registry Key
• wntRunAsUser Issues
• wntShare UAC Problem

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

A Referral was Returned From the Server

 Keywords: A Referral was Returned From the Server Signed WinBatch Studio

---

Windows has made some improvements in providing readable error messages. However this is one exception: 'A Referral was Returned From the Server'.

It happens if you try to run an unsigned application (in Vista or newer) that requires elevation, but you have the "User Account Control: Only elevate executables that are signed and validated" policy enabled. Administrators will enable this policy in domain environments if they really want to control which applications users run with administrative privileges.

If the application is a compiled WinBatch script, then you will need to contact your IT department/developer to get it signed. If you’ve been tweaking the Group Policy settings in your domain, go ahead and disable this policy if you want to run the tool.

Note: In July of 2021 Island Lake Consulting LLC switched to DigiCert code-signing certificates and does not use the Thaw certificates mentioned in this article.

---

If you get this error running WinBatch, WinBatch Studio or any of its tools. Make sure you are running Winbatch 2007B or newer

WinBatch 2007B and newer tools are all signed and manifested.

Reference:
https://blogs.msdn.com/spatdsg/archive/2006/12/20/supportability-and-vista.aspx

---

If you are running WinBatch 2007B or newer then the WinBatch.exe and WinBatch Studio.exe are both signed and manifested.

If you get this error using WinBatch 2007B or newer, it is probably due to UiAccess beging set to TRUE by default. Since UIAccess is set to true the following must be true:

1. WinBatch must be installed in a trusted directory. ( i.e. "Program Files" )
2. WinBatch must be code signed properly.

---

WinBatch must be installed in a trusted directory.

First check that WinBatch is installed to a trusted directory like the 'Program Files' directory.

If you choose to install WinBatch somewhere other than a trusted directory ( NOT Recommended ) then you must use a differently manifested version of the WinBatch tools. For example: WBStudio_AF.exe, WBStudio_IF.exe, WBStudio_HF.exe. These 'differently' manifested version all have uiAccess set to FALSE. Not: this will limit the types of operations that you can script.

---

WinBatch must be code signed properly.

Next, try right-clicking on the WinBatch.exe or WinBatch Studio.exe and select 'Properties' then 'Digital Signatures' tab. Select the 'Details' button. It should say 'This digital signature is okay' .

Issue:
The 'Digital Signature Details' dialog says, 'The certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider'. Further investigation finds 'This certificate cannot be verified up to a trusted certification authority'.

Cause
This error will occur if the issuer of the currently installed certificate is not present on the client software(i.e. Internet Explorer Browser)

Resolution
WinBatch code signing uses Thawte root certificates. These are installed on most browsers by default. Check that the root certificate is not deleted from the client software. The root certificates will be installed in the Certfication Authority certificate stores in the browsers.

In Internet Explorer, go to the menu 'Tools|Internet Options'. Select the 'Content' tab. Select the 'Certificates' button. Select the 'Trusted Root Certification Authorities' tab. Under the 'Issued By' heading look for:

• WinBatch 2012B and newer :'Thawte Primary Server CA'
• WinBatch 2012A and older :'Thawte Premium Server CA'

If it is not there you must install it.

If you need to update your Thawte Root Certificates:

You could do this by going to the Thawte website and downloading the newer 2048 bit public key root certificate. The switch from 1024 to 2048 bit encryption was made after the release of Windows 7 so vendor and corporate installation images sometimes don't have the latest Thawte root certificates installed.

Here is a link to a brief explanation of the certificate change as offered by Thawte.

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AD221

Also, Windows 7 has a Root Certificate update mechanism that *should* automagically update your Root Certificates as needed. However, this feature can be turned off via group policy.

---

Article ID:   W17484

File Created: 2023:03:02:10:53:20

Last Updated: 2023:03:02:10:53:20