NPS Server: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
Following on from my earlier thread, one of my DCs that also functions as an NPS server seems to still have an issue: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/82610054-7d9f-4c62-b2e0-06ea676a5166 Turnign up the SChannel logging, I get this error message: Log Name: System Source: Schannel Date: 11/05/2012 4:32:24 p.m. Event ID: 36877 Task Category: None Level: Warning Keywords: User: SYSTEM Computer: DC.MY.LAN Description: The certificate received from the remote client application has not validated correctly. The error code is 0x80092013. The attached data contains the client certificate. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> <EventID>36877</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2012-05-11T04:32:24.368328000Z" /> <EventRecordID>17319</EventRecordID> <Correlation /> <Execution ProcessID="504" ThreadID="3012" /> <Channel>System</Channel> <Computer>DC.MY.LAN</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="ErrorCode">0x80092013</Data> <Binary>308204923082037AA003020102020A1A57ACCF000100000446300D06092A864886F70D0101050500303E31133011060A0992268993F22C64011916034C414E31133011060A0992268993F22C64011916034348433112301006035504031309434843574E45583031301E170D3132303531313033333835395A170D3133303531313033333835395A301E311C301A0603550403131343484343485043303036332E4348432E4C414E30819F300D06092A864886F70D010101050003818D0030818902818100C9FB69439A9BE31C83311D635A4C0DF134CC03E5AD36533EC4787A1F71C359D8D8917348864951C17E3CB0028059994591390F6BFCC2EF59E9565A7A20DD27C002FD519CE87512A205A7CD7BE87836CCC13C9A5F4EB6CBF847865B82AB4FB663CE121F9F1DEFAB90C3C2C816D9FFB38EF7E8DC8B8C0C89F3ECEEFEFFAC4E54150203010001A382023430820230301D06092B060104018237140204101E0E004D0061006300680069006E0065301D0603551D250416301406082B0601050507030206082B06010505070301300B0603551D0F0404030205A0301E0603551D1104173015821343484343485043303036332E4348432E4C414E301D0603551D0E04160414A7CCC5A4F0A0736EB0B6B218122DA13C05F918F9301F0603551D2304183016801439F9E4BE91CCD55ECEF4A4EC857537B53A4783BE3081C80603551D1F0481C03081BD3081BAA081B7A081B48681B16C6461703A2F2F2F434E3D434843574E455830312831292C434E3D434843574E535632322C434E3D4344502C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D4348432C44433D4C414E3F63657274696669636174655265766F636174696F6E4C6973743F626173653F6F626A656374436C6173733D63524C446973747269627574696F6E506F696E743081B706082B060105050701010481AA3081A73081A406082B060105050730028681976C6461703A2F2F2F434E3D434843574E455830312C434E3D4149412C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D4348432C44433D4C414E3F634143657274696669636174653F626173653F6F626A656374436C6173733D63657274696669636174696F6E417574686F72697479300D06092A864886F70D0101050500038201010055D9E6265721316CB9D4DC3886C595553CF52CE90E12385B527506DF530EC5579646E13377C82D9A67CBF0E7B09205ABA845A53BD577B67CA895A3719FD8BDD5BA4390686CC37565A935871A4B9D44E809393147506392FA7F34C011DE37EA0ADBE2145D643C2CD90CF45F6E52B527192D53B64984B2711A0626E12BA573370482B1769A09F62158183EA260324CECCDC64A924F6713E97D2186D95987D5B5B8A10022EAF7B544CAAC1C8273AE71FC58E50F8F440C58EAFC31DC8E0F3C59EAE0DD9850E550A20D8EDB8CEA1E09F0FDEC4830063112E7C31C25AB255EBB00E1E1C21F1D0B110BA3CDE424BA3544665502BE76ACAE53AC18D63D5AF3593185E66B</Binary> </EventData> </Event> Runnign a Certutil -TCAInfo comand, i get this =============================================================== CA Name: EXCHANGE Machine Name: NEWCA.MY.LAN DS Location: CN=EXCHANGE,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=MY,DC=LAN Cert DN: CN=EXCHANGE, DC=MY, DC=LAN CA Registry Validity Period: 2 Years -- 11/05/2014 4:49 p.m. NotAfter: 24/03/2017 7:38 a.m. Connecting to NEWCA.MY.LAN\EXCHANGE ... Server "EXCHANGE" ICertRequest2 interface is alive Enterprise Root CA dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10) dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_NT_AUTH -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=EXCHANGE, DC=MY, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=EXCHANGE, DC=MY, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 Full chain: 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Issuer: CN=EXCHANGE, DC=MY, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=EXCHANGE, DC=MY, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478) ------------------------------------ Supported Certificate Templates: Cert Type[0]: CodeSigning (Code Signing) Cert Type[1]: Copy of RAS and IAS Server (Copy of RAS and IAS Server) Cert Type[2]: DirectoryEmailReplication (Directory Email Replication) Cert Type[3]: DomainControllerAuthentication (Domain Controller Authentication) Cert Type[4]: EFSRecovery (EFS Recovery Agent) Cert Type[5]: EFS (Basic EFS) Cert Type[6]: DomainController (Domain Controller) Cert Type[7]: WebServer (Web Server) Cert Type[8]: Machine (Computer) Cert Type[9]: User (User) Cert Type[10]: SubCA (Subordinate Certification Authority) Cert Type[11]: Administrator (Administrator) Validated Cert Types: 12 ================================================================ NEWCA.MY.LAN\EXCHANGE: Enterprise Root CA A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478) Online If I point the Wireless AP to a differnt NPS server it works fine, so it's something on this particluar one (have uninstalled and reinstalled NPS) Something obvioulsy still a little screwy - any suggestions?
May 11th, 2012 7:58am

Doing some more examination, the NPS server that works, has only one valid version of the CA cert. The other NPS server has duplciate copies. Deleteing one of the duplicates from the CA Trusted root store and restartign NPS seems to do the job. I'll test on another.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2012 5:48pm

Hi, How is everything going? Best Regards Elytis ChengElytis Cheng TechNet Community Support
May 14th, 2012 4:40am

To be frank, I'm not too sure! Some servers work and some don't and I honestly can't tell why. I republished the CRL as it looked fine on the CA, but that didn't seem to get out to all the domain. If I run a certutil -DCinfo verify, I get this output - some are OK and some are not (I've included only the one successful and one failed to illustrate. 0: MYLANWNDC01 1: MYLANWHDC01 2: MYLANRXDC01 3: MYLANOTDC01 4: MYLANCHDC01 5: MYLANRTDC01 6: MYLANPKDC01 7: MYLANGSDC01 8: MYLANWNDC02 *** Testing DC[0]: MYLANWNDC01 ** Enterprise Root Certificates for DC MYLANWNDC01 Certificate 0: Serial Number: 2f39138dc1b34288470fc3bc79c2b3d9 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 22/03/2007 12:07 p.m. NotAfter: 22/03/2012 12:16 p.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): f7 58 62 89 38 65 e1 fe aa 2b 32 f3 39 7e 7b 67 de 94 38 cf Certificate 1: Serial Number: 159b58b983258eb548e34b31a1dec26c Issuer: CN=MYLAN, DC=MYLAN, DC=LAN NotBefore: 21/01/2010 3:19 p.m. NotAfter: 21/01/2015 3:25 p.m. Subject: CN=MYLAN, DC=MYLAN, DC=LAN Certificate Template Name (Certificate Type): CA CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Template: CA, Root Certification Authority Cert Hash(sha1): 5f df 7c 2c 92 d8 0d 3c 20 2c c0 5b f3 88 49 cb a7 3c a0 4e Certificate 2: Serial Number: 2305fccace68e1ba4f407e110bdc05ba Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN CA Version: V1.1 Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 ** KDC Certificates for DC MYLANWNDC01 Certificate 0: Serial Number: 3289526d00010000030c Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 8:55 a.m. NotAfter: 23/03/2013 8:55 a.m. Subject: EMPTY (DNS Name=MYLANWNDC01.MYLAN.LAN) Non-root Certificate Template: DomainControllerAuthentication, Domain Controller Authentication Cert Hash(sha1): ea 6a 7b aa 34 59 f2 de 54 77 42 b4 04 58 57 9c ab 66 d2 a6 dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10) dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_NT_AUTH -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 8:55 a.m. NotAfter: 23/03/2013 8:55 a.m. Subject: Serial: 3289526d00010000030c SubjectAltName: DNS Name=MYLANWNDC01.MYLAN.LAN Template: Domain Controller Authentication ea 6a 7b aa 34 59 f2 de 54 77 42 b4 04 58 57 9c ab 66 d2 a6 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) CRL 0748: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN ce f0 dd 18 0e b6 e5 4a 5a 61 f1 a8 62 f9 a6 34 d2 96 87 5b Delta CRL 074d: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN 1d d7 16 bb e4 68 c7 81 ab b9 38 29 9f 57 1c a3 ab a2 a8 47 Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: 53 b9 f9 26 8f 1a 2c d0 50 31 36 f0 89 9d 40 97 16 b5 65 7c Full chain: ca cc 8f 65 9e 99 02 fe 1c 88 4f f1 4e c8 93 e4 60 86 e5 37 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 8:55 a.m. NotAfter: 23/03/2013 8:55 a.m. Subject: Serial: 3289526d00010000030c SubjectAltName: DNS Name=MYLANWNDC01.MYLAN.LAN Template: Domain Controller Authentication ea 6a 7b aa 34 59 f2 de 54 77 42 b4 04 58 57 9c ab 66 d2 a6 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline Certificate 1: Serial Number: 3289516400010000030b Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 8:55 a.m. NotAfter: 23/03/2013 8:55 a.m. Subject: EMPTY (Other Name:DS Object Guid=04 10 e9 f0 55 dc 97 e1 ab 47 8e 79 31 7c c2 b5 03 4e, DNS Name=MYLANWNDC01.MYLAN.LAN) Non-root Certificate Template: DirectoryEmailReplication, Directory Email Replication Cert Hash(sha1): dd ef 99 cd 85 eb 81 7f dc 9a 7b 2b a7 ca f4 8f fe d6 e7 5a dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10) dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_NT_AUTH -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 8:55 a.m. NotAfter: 23/03/2013 8:55 a.m. Subject: Serial: 3289516400010000030b SubjectAltName: Other Name:DS Object Guid=04 10 e9 f0 55 dc 97 e1 ab 47 8e 79 31 7c c2 b5 03 4e, DNS Name=MYLANWNDC01.MYLAN.LAN Template: Directory Email Replication dd ef 99 cd 85 eb 81 7f dc 9a 7b 2b a7 ca f4 8f fe d6 e7 5a Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) CRL 0748: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN ce f0 dd 18 0e b6 e5 4a 5a 61 f1 a8 62 f9 a6 34 d2 96 87 5b Delta CRL 074d: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN 1d d7 16 bb e4 68 c7 81 ab b9 38 29 9f 57 1c a3 ab a2 a8 47 Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: 14 ab 91 86 3b 9a 9d 79 88 f9 06 3d 08 1f 8e eb 58 fc 90 89 Full chain: 1b f3 d4 d8 55 f5 cc 07 79 21 5e 85 20 49 ab dc 6d 42 dc de Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 8:55 a.m. NotAfter: 23/03/2013 8:55 a.m. Subject: Serial: 3289516400010000030b SubjectAltName: Other Name:DS Object Guid=04 10 e9 f0 55 dc 97 e1 ab 47 8e 79 31 7c c2 b5 03 4e, DNS Name=MYLANWNDC01.MYLAN.LAN Template: Directory Email Replication dd ef 99 cd 85 eb 81 7f dc 9a 7b 2b a7 ca f4 8f fe d6 e7 5a The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline 2 KDC certs for MYLANWNDC01 *** Testing DC[8]: MYLANWNDC02 ** Enterprise Root Certificates for DC MYLANWNDC02 Certificate 0: Serial Number: 2f39138dc1b34288470fc3bc79c2b3d9 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 22/03/2007 12:07 p.m. NotAfter: 22/03/2012 12:16 p.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): f7 58 62 89 38 65 e1 fe aa 2b 32 f3 39 7e 7b 67 de 94 38 cf Certificate 1: Serial Number: 159b58b983258eb548e34b31a1dec26c Issuer: CN=MYLAN, DC=MYLAN, DC=LAN NotBefore: 21/01/2010 3:19 p.m. NotAfter: 21/01/2015 3:25 p.m. Subject: CN=MYLAN, DC=MYLAN, DC=LAN Certificate Template Name (Certificate Type): CA CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Template: CA, Root Certification Authority Cert Hash(sha1): 5f df 7c 2c 92 d8 0d 3c 20 2c c0 5b f3 88 49 cb a7 3c a0 4e Certificate 2: Serial Number: 2305fccace68e1ba4f407e110bdc05ba Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN CA Version: V1.1 Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 ** KDC Certificates for DC MYLANWNDC02 Certificate 0: Serial Number: 3762c303000100000421 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 21/04/2012 11:46 a.m. NotAfter: 21/04/2013 11:46 a.m. Subject: EMPTY (Other Name:DS Object Guid=04 10 55 cf 99 a3 a2 15 e0 41 a7 7c f7 97 9d a8 e3 26, DNS Name=MYLANWNDC02.MYLAN.LAN) Non-root Certificate Template: DirectoryEmailReplication, Directory Email Replication Cert Hash(sha1): cb 10 1e 39 a9 c5 af f7 32 7a 10 43 b1 71 f5 61 fe 9e 0e 3c dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10) dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_NT_AUTH -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 21/04/2012 11:46 a.m. NotAfter: 21/04/2013 11:46 a.m. Subject: Serial: 3762c303000100000421 SubjectAltName: Other Name:DS Object Guid=04 10 55 cf 99 a3 a2 15 e0 41 a7 7c f7 97 9d a8 e3 26, DNS Name=MYLANWNDC02.MYLAN.LAN Template: Directory Email Replication cb 10 1e 39 a9 c5 af f7 32 7a 10 43 b1 71 f5 61 fe 9e 0e 3c Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 074e: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN c8 fc 3c 77 93 9a 79 63 41 2f ec 55 32 43 3a 56 a6 99 c1 46 Delta CRL 0753: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN fa 63 f0 44 a5 b5 c6 c5 2e bf e1 89 cb 5c be 71 97 f2 c2 46 Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: 38 b9 4b 07 2d 65 c7 4a d8 82 35 d8 25 f9 9c a4 cb 1a 7f 67 Full chain: e3 03 47 da c4 1a db d0 77 00 9c 2e c7 af 6e 86 8d c8 86 52 ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.4.1.311.21.19 Directory Service Email Replication Certificate 1: Serial Number: 3762c60f000100000422 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 21/04/2012 11:46 a.m. NotAfter: 21/04/2013 11:46 a.m. Subject: EMPTY (DNS Name=MYLANWNDC02.MYLAN.LAN) Non-root Certificate Template: DomainControllerAuthentication, Domain Controller Authentication Cert Hash(sha1): 19 f6 6d 63 4a 80 8a da 23 1a 69 19 fd 75 79 07 d4 d8 a9 b0 dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10) dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_NT_AUTH -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 21/04/2012 11:46 a.m. NotAfter: 21/04/2013 11:46 a.m. Subject: Serial: 3762c60f000100000422 SubjectAltName: DNS Name=MYLANWNDC02.MYLAN.LAN Template: Domain Controller Authentication 19 f6 6d 63 4a 80 8a da 23 1a 69 19 fd 75 79 07 d4 d8 a9 b0 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 074e: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN c8 fc 3c 77 93 9a 79 63 41 2f ec 55 32 43 3a 56 a6 99 c1 46 Delta CRL 0753: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN fa 63 f0 44 a5 b5 c6 c5 2e bf e1 89 cb 5c be 71 97 f2 c2 46 Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: 99 02 c4 0d bf 77 20 e1 f2 e6 0f 38 83 05 6d f3 4d 5b dc 1f Full chain: 00 b7 81 9c fb 94 02 f3 bb 1c b2 b3 32 5f df 54 46 a3 11 f4 ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.2 Client Authentication 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.4.1.311.20.2.2 Smart Card Logon 2 KDC certs for MYLANWNDC02 CertUtil: -DCInfo command completed successfully.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 4:46pm

Hmmm, when I run a verify on the CA certificate, I get this: Issuer: CN=MYLANWNEX01 DC=MYLAN DC=LAN Subject: CN=MYLANWNEX01 DC=MYLAN DC=LAN Cert Serial Number: 2305fccace68e1ba4f407e110bdc05ba dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1) dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2) dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8) dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 18 Hours, 50 Minutes, 57 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 18 Hours, 50 Minutes, 57 Seconds CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: Cannot find object or property. 0x80092004 (-2146885628) ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint Failed "CDP" Time: 0 Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007) http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl ---------------- Base CRL CDP ---------------- OK "Delta CRL (0753)" Time: 0 [0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass=cRLDistributionPoint ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 074e: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN c8 fc 3c 77 93 9a 79 63 41 2f ec 55 32 43 3a 56 a6 99 c1 46 Delta CRL 0753: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN fa 63 f0 44 a5 b5 c6 c5 2e bf e1 89 cb 5c be 71 97 f2 c2 46 Exclude leaf cert: c5 39 d7 d7 8e 49 70 56 b6 b8 b0 b7 aa 7e 75 f3 86 67 6c d4 Full chain: a3 00 7b 14 65 79 ad 31 c2 0c 8f 02 99 5d de 14 43 44 4d 65 ------------------------------------ Verified Issuance Policies: All Verified Application Policies: All Cert is a CA certificate Leaf certificate revocation check passed CertUtil: -verify command completed successfully. the MYLANWNSV01 was the original CA many years ago, but it was moved to MYLANEX01 (by a third party I assume) and is now on MYLANWNSV22 as of a few days ago.- so the CDP is wrong. Now how to fix? If I open ADSIedit, I can see 3 itmes in the services\PKI\CDP container: THe new server and the 2 old ones If I run certutil -URL the the URL listed under Enterprise PKI/CA/CDP lcoation ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint 2 CRLs are retrieved and they're both status 'OK'
May 14th, 2012 5:10pm

Hello, Thank you for your post. This is a quick note to let you know that we are performing research on this issue. Best Regards Elytis ChengElytis Cheng TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 5:02am

Hi, I have some confusion on the description, would like to clarify with you. 1. you told me that the name of the CA is EXCHANGE, but the subject of the CA certificate is MYLANWNEX01, the subject name should be the CA name. so please confirm the certificate you are checking is the CA certificate for the CA EXCHANGE. 2. 2305fccace68e1ba4f407e110bdc05ba is a self signed certificate, would you please let me konw how did you request/issue it. Generally, a self signed certificate does not have AIA and CDP. 3. As I understand, you concern is the error "CA certificates is not trusted by the policy provider", am I right? please check your NPS server, make sure the root CA certificate is installed in the "Trusted Root Certification Authorities" store on the NPS server. Thanks. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 16th, 2012 5:41am

Hi Aaron, I have not used the actual server names in my postings (seems to be bad practice usually) - EXCHANGE=MYLANWNEX01 - but again, that's not the actual name of the server. If the real names are important, I'll be happy to redo the queries and paste in the real names.That is the serial of the new CA certificate. It had expired so I renewed it. (belive I used renew with new key) - this did some appear to be working prior to the migration so was generated on server MYLANWNDC01 (not real name) as it was used with all my NPS server successfully. The issues all seem to have occirred sicne I migrated.From one of the problem NPS servers when verifying the CA cert from Trusted Root Authority: Issuer: CN=MYLANWNEX01 DC=MYLAN DC=LAN Subject: CN=MYLANWNEX01 DC=MYLAN DC=LAN Cert Serial Number: 2305fccace68e1ba4f407e110bdc05ba dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 Full chain: 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 ------------------------------------ Verified Issuance Policies: All Verified Application Policies: All Cert is a CA certificate ERROR: Verifying leaf certificate revocation status returned The revocation func tion was unable to check revocation because the revocation server was offline. 0 x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the rev ocation server was offline.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 4:57pm

verify on NPS certificate from server taht was cauign issues: Issuer: CN=MYLANWNEX01 DC=MYLAN DC=LAN Subject: CN=MYLANGSDC01.MYLAN.LAN Cert Serial Number: 13daafdb000100000437 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 17 Hours, 3 Minutes, 22 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 17 Hours, 3 Minutes, 22 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 10/05/2012 9:24 a.m. NotAfter: 10/05/2014 9:34 a.m. Subject: CN=MYLANGSDC01.MYLAN.LAN Serial: 13daafdb000100000437 SubjectAltName: DNS Name=MYLANGSDC01.MYLAN.LAN Template: Copy of RAS and IAS Server ec 17 c5 45 bc 07 c2 46 4a 19 2f 78 0f 96 a7 5a 30 4b a4 f3 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 0756: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN 07 ae 8f ce f4 0c be 2a 56 85 90 0a 1a a4 37 40 04 ac d7 11 Delta CRL 0756: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN 0d 35 d2 06 6c c5 5c 4b 31 da 21 b3 bf 07 fe 95 5e b6 e2 d0 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: c8 5c 91 67 7b 4e 8e 38 64 a8 91 54 9c ab d7 73 55 27 99 db Full chain: 6c 85 34 4b 55 c6 e2 3d 63 17 3f 34 db 58 0b db 85 6c d7 69 ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.5.5.7.3.2 Client Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully.
May 16th, 2012 4:59pm

Just to note, the CA has no problem issuing certifcates, it behaves as I'd expect in all ways bar this problem with Wireless clients authenticating against SOME servers.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 5:01pm

I think below error causes your issue. please make sure the CRLs are available. ERROR: Verifying leaf certificate revocation status returned The revocation func tion was unable to check revocation because the revocation server was offline. 0 x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the rev ocation server was offline. in addition, I suggest you verify your NPS cert by command "certutil -verify -fetchurl c:\nps.cer" on the NPS server and post the result. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 19th, 2012 4:00am

C:\Users\administrator.MYLAN>certutil -verify -urlfetch c:\NPS.cer Issuer: CN=MYLANWNEX01 DC=MYLAN DC=LAN Subject: CN=MYLANGSDC01.MYLAN.LAN Cert Serial Number: 1f459063000100000450 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 18 Hours, 13 Minutes, 55 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 18 Hours, 13 Minutes, 55 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 17/05/2012 8:40 a.m. NotAfter: 17/05/2014 8:50 a.m. Subject: CN=MYLANGSDC01.MYLAN.LAN Serial: 1f459063000100000450 SubjectAltName: DNS Name=MYLANGSDC01.MYLAN.LAN Template: Copy of RAS and IAS Server 66 40 01 a1 b4 5e 51 c0 38 63 05 b4 9f 0e 71 34 c3 a1 76 b9 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] ldap:///CN=MYLANWNEX01,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=MYLAN,DC=LAN?cACertificate?base?objectClass=certificationAuthorit y ---------------- Certificate CDP ---------------- Verified "Base CRL (0756)" Time: 0 [0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services ,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objec tClass=cRLDistributionPoint Verified "Delta CRL (0756)" Time: 0 [0.0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Servic es,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectCla ss=cRLDistributionPoint ---------------- Base CRL CDP ---------------- OK "Delta CRL (075a)" Time: 0 [0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services ,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass =cRLDistributionPoint ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 0756: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN 07 ae 8f ce f4 0c be 2a 56 85 90 0a 1a a4 37 40 04 ac d7 11 Delta CRL 075a: Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN 4b 22 e1 26 d1 cf be 35 79 c5 68 47 2e bf 47 f4 d0 01 e9 4b Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: Cannot find object or property. 0x80092004 (-214688562 8) ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Servi ces,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cR LDistributionPoint Failed "CDP" Time: 0 Error retrieving URL: The server name or address could not be resolved 0x800 72ee7 (WIN32: 12007) http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 02 af d9 3d a3 b5 d9 cf b0 ac d7 9b 27 24 5a 28 13 24 1d 15 Full chain: bc 64 ac cf b5 22 ee ac 21 de 80 63 7a 9c 9f 80 28 f9 0a fd ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.5.5.7.3.2 Client Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. Would seem to be an OLD CDP? How do I resolve that and remove the old CHCWNSV01 server altogether?
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2012 6:13pm

OK, when I take a look at the CRL for the CA cert under the enterprise PKI MMC [1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl So here's the old name again! MYLANWNSV01 should be MYLANWNSV22, and it's the same for the AIA I don't want to risk stuffing this up any further, what's the thing to do?
May 20th, 2012 9:08pm

You have to be aware that any changes that you make in the configuration of the CA will only affect *future* certificates, not existing certificates. It sounds like you are going to have to support both MYLANwnsv01.MYLAN.lanand MYLANWNSV22.MYLAN.lan for the immediate future (until all previously issued certificates expire). What may work is to make MYLANWNSV22.MYLAN.lan a CNAME for MYLANwnsv01.MYLAN.lan. You can only remove the CNAME record when the last certificate issued with the previous names expires (no more need for CRL checking). HTH, Brian
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2012 11:48pm

Thanks, will try this. The current CA certificate still contains the old name MYLANWNSV01 in the CRL, rather than the new name. I've seen some articles suggesting replacing the ServerShortName with the new name - any thoughts on this? URL=ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint i.e. can I add another ldap URL? When running the above test against the NPS cert, the outut ahs changed soemwhat: Error retrieving URL: Cannot find object or property. 0x80092004 (-214688562 8) ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Servi ces,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cR LDistributionPoint Wrong Issuer "Base CRL (075b)" Time: 5 [1.0] http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl Wrong Issuer "Delta CRL (075b)" Time: 0 [1.0.0] ldap:///CN=MYLANWNEX01,CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass= cRLDistributionPoint
May 20th, 2012 11:52pm

On the same server (now it's had a day to settle) running a verify against the CA cert: C:\Users\administrator.MYLAN>certutil -verify -urlfetch c:\CA.cer Issuer: CN=MYLANWNEX01 DC=MYLAN DC=LAN Subject: CN=MYLANWNEX01 DC=MYLAN DC=LAN Cert Serial Number: 2305fccace68e1ba4f407e110bdc05ba dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN NotBefore: 23/03/2012 7:29 a.m. NotAfter: 24/03/2017 7:38 a.m. Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN Serial: 2305fccace68e1ba4f407e110bdc05ba 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: Cannot find object or property. 0x80092004 (-214688562 8) ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Servi ces,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cR LDistributionPoint Wrong Issuer "Base CRL (075b)" Time: 4 [1.0] http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl Wrong Issuer "Delta CRL (075b)" Time: 0 [1.0.0] ldap:///CN=MYLANWNEX01,CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass= cRLDistributionPoint ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 Full chain: 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45 ------------------------------------ Verified Issuance Policies: All Verified Application Policies: All Cert is a CA certificate ERROR: Verifying leaf certificate revocation status returned The revocation func tion was unable to check revocation because the revocation server was offline. 0 x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the rev ocation server was offline. CertUtil: -verify command completed successfully. ----- I can open a webbrowser and retrieve the CRL from http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl and it contains the new CA name.
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 5:01pm

Wow this goes on. OK, I THINK the issue is this - the CRL for the CA certificate is wrong FRom the current CA cert: URL=ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl So it's issuing out new certificates with this CRL and, although the URL is reachable (thanks to CNAME suggestion above) THe LDAP won't be. So do I: 1) UNDER CA > Extensions >remove the LDAP CRL altogether from the CA cert and get all new certs issued with HTTP (and which of the options do I choose) 2) Have a similar workaound in LDAP so the new CA (MYLANWNSV22) gets checked whenever someone looks for MYLANWNSV01 3) Create an all new CA cert (and how do I do this so it uses the right names) and get new certs for all the NPS servers? 4) Add new LDAP path ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=MYLANWNSV22,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass> and assign this the same optiosn as current default LDAP (which can then be unticked and/or removed?)
May 22nd, 2012 8:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics