Okay, I don't usually ask questions but I've been getting nowhere on this for days now. Using Exchange 2007 Here's the situation. I get a pop up when opening Outlook 2007 for some users when logged into the terminal server. The pop up says: ----------------- Security Alert remote.ourdomainname.com Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. X An unknown error occurred. This site should not be trusted. -------------------------------------- The only bit of other information that I can work with, is that the users that get this error cannot access the website: remote.ourdomainname.com in Internet Explorer. But, some older users can log in, don't get the Outlook error, and can access that site in IE. What the heck? I've checked for group policy stuff, and local admin stuff... Don't know what else to do.

Hi, For 2008, you can enable CAPI2 logging, Start -> Search box, enter eventvwr Expand Applications and Services Logs\Microsoft\Windows\CAPI2, right click the Operational log, click properties and check the "Enable logging" checkbox. Note that you may need to modify the maximum log file size based on the number of users on the terminal server or the amount of cryptographic service activity. From there, please post back any errors that you are unsure how to remediate. -- Mike Burr

Hi Mike, Thanks for the response! I do in fact have quite a few errors being logged but am unsure of how to remediate them. Here are some of the errors: - System - Provider [ Name] Microsoft-Windows-CAPI2 [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} EventID 11 Version 0 Level 2 Task 11 Opcode 2 Keywords 0x8000000000000003 - TimeCreated [ SystemTime] 2010-11-17T00:21:34.546Z EventRecordID 31 Correlation - Execution [ ProcessID] 20048 [ ThreadID] 20468 Channel Microsoft-Windows-CAPI2/Operational Computer Server.local - Security [ UserID] S-1-5-21-308129280-903786226-1972997838-1215 - UserData - CertGetCertificateChain - Certificate [ fileRef] D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer [ subjectName] remote.ourdomain.com ValidationTime 2010-11-17T00:21:34.544Z - AdditionalStore - Certificate [ fileRef] 7C4656C3061F7F4C0D67B319A855F60EBC11FC44.cer [ subjectName] Go Daddy Secure Certification Authority - Certificate [ fileRef] D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer [ subjectName] remote.ourdomain.com - ExtendedKeyUsage [ orMatch] true - Usage [ oid] 1.3.6.1.5.5.7.3.1 [ name] Server Authentication - Usage [ oid] 1.3.6.1.4.1.311.10.3.3 - Usage [ oid] 2.16.840.1.113730.4.1 - Flags [ value] 0 - ChainEngineInfo [ context] user - CertificateChain [ chainRef] {7C632470-FA27-49E6-B593-B46AC5EB47B8} - TrustStatus - ErrorStatus [ value] 10 [ CERT_TRUST_IS_NOT_VALID_FOR_USAGE] true - InfoStatus [ value] 100 [ CERT_TRUST_HAS_PREFERRED_ISSUER] true - ChainElement - Certificate [ fileRef] D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer [ subjectName] remote.ourdomain.com - TrustStatus - ErrorStatus [ value] 0 - InfoStatus [ value] 102 [ CERT_TRUST_HAS_KEY_MATCH_ISSUER] true [ CERT_TRUST_HAS_PREFERRED_ISSUER] true - ApplicationUsage - Usage [ oid] 1.3.6.1.5.5.7.3.1 [ name] Server Authentication - Usage [ oid] 1.3.6.1.5.5.7.3.2 [ name] Client Authentication - IssuanceUsage - Usage [ oid] 2.16.840.1.114413.1.7.23.1 - ChainElement - Certificate [ fileRef] 7C4656C3061F7F4C0D67B319A855F60EBC11FC44.cer [ subjectName] Go Daddy Secure Certification Authority - TrustStatus - ErrorStatus [ value] 10 [ CERT_TRUST_IS_NOT_VALID_FOR_USAGE] true - InfoStatus [ value] 102 [ CERT_TRUST_HAS_KEY_MATCH_ISSUER] true [ CERT_TRUST_HAS_PREFERRED_ISSUER] true ApplicationUsage - IssuanceUsage [ any] true - ChainElement - Certificate [ fileRef] 2796BAE63F1801E277261BA0D77770028F20EEE4.cer [ subjectName] Go Daddy Class 2 Certification Authority - TrustStatus - ErrorStatus [ value] 0 - InfoStatus [ value] 109 [ CERT_TRUST_HAS_EXACT_MATCH_ISSUER] true [ CERT_TRUST_IS_SELF_SIGNED] true [ CERT_TRUST_HAS_PREFERRED_ISSUER] true - ApplicationUsage - Usage [ oid] 1.3.6.1.5.5.7.3.1 [ name] Server Authentication - Usage [ oid] 1.3.6.1.5.5.7.3.2 [ name] Client Authentication - Usage [ oid] 1.3.6.1.5.5.7.3.4 [ name] Secure Email - Usage [ oid] 1.3.6.1.5.5.7.3.3 [ name] Code Signing - IssuanceUsage [ any] true - EventAuxInfo [ ProcessName] OUTLOOK.EXE - CorrelationAuxInfo [ TaskId] {879A183E-2806-4228-9FFA-6C32892DEB20} [ SeqNumber] 3 - Result The certificate is not valid for the requested usage. [ value] 800B0110

Next one: + System - Provider [ Name] Microsoft-Windows-CAPI2 [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} EventID 30 Version 0 Level 2 Task 30 Opcode 0 Keywords 0x8000000000000001 - TimeCreated [ SystemTime] 2010-11-17T00:21:34.546Z EventRecordID 32 Correlation - Execution [ ProcessID] 20048 [ ThreadID] 20468 Channel Microsoft-Windows-CAPI2/Operational Computer MRTERMS01.mrlabs.local - Security [ UserID] S-1-5-21-308129280-903786226-1972997838-1215 - UserData - CertVerifyCertificateChainPolicy - Policy [ type] CERT_CHAIN_POLICY_SSL [ constant] 4 - Certificate [ fileRef] D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer [ subjectName] remote.ourdomain.com - CertificateChain [ chainRef] {7C632470-FA27-49E6-B593-B46AC5EB47B8} - Flags [ value] 0 - SSLAdditionalPolicyInfo [ authType] server [ serverName] remote.ourdomain.com - IgnoreFlags [ value] 100 [ SECURITY_FLAG_IGNORE_UNKNOWN_CA] true - Status [ chainIndex] 0 [ elementIndex] 1 - EventAuxInfo [ ProcessName] OUTLOOK.EXE - CorrelationAuxInfo [ TaskId] {879A183E-2806-4228-9FFA-6C32892DEB20} [ SeqNumber] 4 - Result The certificate is not valid for the requested usage. [ value] 800B0110 --------------------------------------- Next one: - System - Provider [ Name] Microsoft-Windows-CAPI2 [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} EventID 11 Version 0 Level 2 Task 11 Opcode 2 Keywords 0x8000000000000003 - TimeCreated [ SystemTime] 2010-11-17T00:32:39.740Z EventRecordID 158 Correlation - Execution [ ProcessID] 672 [ ThreadID] 776 Channel Microsoft-Windows-CAPI2/Operational Computer ourserver.local - Security [ UserID] S-1-5-20 - UserData - CertGetCertificateChain - Certificate [ fileRef] 04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer [ subjectName] ourserver.local ExtendedKeyUsage - Flags [ value] 0 - ChainEngineInfo [ context] user - CertificateChain [ chainRef] {7ED43D64-A4AE-41F9-A793-C13041EDF48D} - TrustStatus - ErrorStatus [ value] 20 [ CERT_TRUST_IS_UNTRUSTED_ROOT] true - InfoStatus [ value] 100 [ CERT_TRUST_HAS_PREFERRED_ISSUER] true - ChainElement - Certificate [ fileRef] 04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer [ subjectName] ourserver.local - TrustStatus - ErrorStatus [ value] 20 [ CERT_TRUST_IS_UNTRUSTED_ROOT] true - InfoStatus [ value] 10C [ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true [ CERT_TRUST_IS_SELF_SIGNED] true [ CERT_TRUST_HAS_PREFERRED_ISSUER] true - ApplicationUsage - Usage [ oid] 1.3.6.1.5.5.7.3.1 [ name] Server Authentication - IssuanceUsage [ any] true - EventAuxInfo [ ProcessName] lsass.exe [ impersonateToken] S-1-5-20 - CorrelationAuxInfo [ TaskId] {5DBB1E4D-E3DA-4781-8115-42E5EF360C63} [ SeqNumber] 3 - Result A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. [ value] 800B0109

Another one: - System - Provider [ Name] Microsoft-Windows-CAPI2 [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} EventID 41 Version 0 Level 2 Task 41 Opcode 2 Keywords 0x8000000000000005 - TimeCreated [ SystemTime] 2010-11-17T00:32:39.741Z EventRecordID 161 Correlation - Execution [ ProcessID] 672 [ ThreadID] 776 Channel Microsoft-Windows-CAPI2/Operational Computer ourserver.local - Security [ UserID] S-1-5-18 - UserData - CertVerifyRevocation - Certificate [ fileRef] 04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer [ subjectName] ourserver.local - IssuerCertificate [ fileRef] 04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer [ subjectName] ourserver.local - Flags [ value] 8 [ CERT_VERIFY_REV_SERVER_OCSP_FLAG] true - AdditionalParameters [ timeToUse] 2010-11-17T00:32:39.740Z [ currentTime] 2010-11-17T00:32:39.740Z [ urlRetrievalTimeout] PT15S - RevocationStatus [ index] 0 [ error] 80092014 [ reason] 0 - EventAuxInfo [ ProcessName] lsass.exe - CorrelationAuxInfo [ TaskId] {10DD696B-06A6-4CB0-9159-802D3FF2F7C7} [ SeqNumber] 3 - Result The certificate is not in the revocation server's database. [ value] 80092014

Last one... For now. - System - Provider [ Name] Microsoft-Windows-CAPI2 [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} EventID 41 Version 0 Level 2 Task 41 Opcode 2 Keywords 0x8000000000000005 - TimeCreated [ SystemTime] 2010-11-17T00:34:50.890Z EventRecordID 185 Correlation - Execution [ ProcessID] 1724 [ ThreadID] 21592 Channel Microsoft-Windows-CAPI2/Operational Computer ourserver.local - Security [ UserID] S-1-5-18 - UserData - CertVerifyRevocation - Certificate [ fileRef] 3DF7DF495F722105C67136836B8E7ECE0E51E66F.cer [ subjectName] Microsoft Windows - IssuerCertificate [ fileRef] 5DF0D7571B0780783960C68B78571FFD7EDAF021.cer [ subjectName] Microsoft Windows Verification PCA - Flags [ value] 2 [ CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION] true - AdditionalParameters [ timeToUse] 2008-01-19T07:45:24Z [ currentTime] 2010-11-17T00:34:50.881Z [ urlRetrievalTimeout] PT15S - RevocationStatus [ index] 0 [ error] 80092013 [ reason] 0 - EventAuxInfo [ ProcessName] spoolsv.exe - CorrelationAuxInfo [ TaskId] {BEC12C3D-B911-4519-BFE9-95E74BD4BF1A} [ SeqNumber] 6 - Result The revocation function was unable to check revocation because the revocation server was offline. [ value] 80092013