Really weird Windows Server 2008 terminal server Outlook certificate error (with only some users)
Okay, I don't usually ask questions but I've been getting nowhere on this for days now. Using Exchange 2007
Here's the situation. I get a pop up when opening Outlook 2007 for
some users when logged into the terminal server. The pop up says:
-----------------
Security Alert
remote.ourdomainname.com
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
X An unknown error occurred.
This site should not be trusted.
--------------------------------------
The only bit of other information that I can work with, is that the users that get this error cannot access the website: remote.ourdomainname.com in Internet Explorer.
But, some older users can log in, don't get the Outlook error, and can access that site in IE.
What the heck?
I've checked for group policy stuff, and local admin stuff... Don't know what else to do.
November 12th, 2010 11:39am
Hi,
For 2008, you can enable CAPI2 logging,
Start -> Search box, enter eventvwr
Expand Applications and Services Logs\Microsoft\Windows\CAPI2, right
click the Operational log, click properties and check the "Enable
logging" checkbox. Note that you may need to modify the maximum log file
size based on the number of users on the terminal server or the amount
of cryptographic service activity.
From there, please post back any errors that you are unsure how to
remediate.
-- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2010 11:53am
Hi Mike,
Thanks for the response!
I do in fact have quite a few errors being logged but am unsure of how to remediate them. Here are some of the errors:
-
System
-
Provider
[ Name]
Microsoft-Windows-CAPI2
[ Guid]
{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID
11
Version
0
Level
2
Task
11
Opcode
2
Keywords
0x8000000000000003
-
TimeCreated
[ SystemTime]
2010-11-17T00:21:34.546Z
EventRecordID
31
Correlation
-
Execution
[ ProcessID]
20048
[ ThreadID]
20468
Channel
Microsoft-Windows-CAPI2/Operational
Computer
Server.local
-
Security
[ UserID]
S-1-5-21-308129280-903786226-1972997838-1215
-
UserData
-
CertGetCertificateChain
-
Certificate
[ fileRef]
D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer
[ subjectName]
remote.ourdomain.com
ValidationTime
2010-11-17T00:21:34.544Z
-
AdditionalStore
-
Certificate
[ fileRef]
7C4656C3061F7F4C0D67B319A855F60EBC11FC44.cer
[ subjectName]
Go Daddy Secure Certification Authority
-
Certificate
[ fileRef]
D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer
[ subjectName]
remote.ourdomain.com
-
ExtendedKeyUsage
[ orMatch]
true
-
Usage
[ oid]
1.3.6.1.5.5.7.3.1
[ name]
Server Authentication
-
Usage
[ oid]
1.3.6.1.4.1.311.10.3.3
-
Usage
[ oid]
2.16.840.1.113730.4.1
-
Flags
[ value]
0
-
ChainEngineInfo
[ context]
user
-
CertificateChain
[ chainRef]
{7C632470-FA27-49E6-B593-B46AC5EB47B8}
-
TrustStatus
-
ErrorStatus
[ value]
10
[ CERT_TRUST_IS_NOT_VALID_FOR_USAGE]
true
-
InfoStatus
[ value]
100
[ CERT_TRUST_HAS_PREFERRED_ISSUER]
true
-
ChainElement
-
Certificate
[ fileRef]
D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer
[ subjectName]
remote.ourdomain.com
-
TrustStatus
-
ErrorStatus
[ value]
0
-
InfoStatus
[ value]
102
[ CERT_TRUST_HAS_KEY_MATCH_ISSUER]
true
[ CERT_TRUST_HAS_PREFERRED_ISSUER]
true
-
ApplicationUsage
-
Usage
[ oid]
1.3.6.1.5.5.7.3.1
[ name]
Server Authentication
-
Usage
[ oid]
1.3.6.1.5.5.7.3.2
[ name]
Client Authentication
-
IssuanceUsage
-
Usage
[ oid]
2.16.840.1.114413.1.7.23.1
-
ChainElement
-
Certificate
[ fileRef]
7C4656C3061F7F4C0D67B319A855F60EBC11FC44.cer
[ subjectName]
Go Daddy Secure Certification Authority
-
TrustStatus
-
ErrorStatus
[ value]
10
[ CERT_TRUST_IS_NOT_VALID_FOR_USAGE]
true
-
InfoStatus
[ value]
102
[ CERT_TRUST_HAS_KEY_MATCH_ISSUER]
true
[ CERT_TRUST_HAS_PREFERRED_ISSUER]
true
ApplicationUsage
-
IssuanceUsage
[ any]
true
-
ChainElement
-
Certificate
[ fileRef]
2796BAE63F1801E277261BA0D77770028F20EEE4.cer
[ subjectName]
Go Daddy Class 2 Certification Authority
-
TrustStatus
-
ErrorStatus
[ value]
0
-
InfoStatus
[ value]
109
[ CERT_TRUST_HAS_EXACT_MATCH_ISSUER]
true
[ CERT_TRUST_IS_SELF_SIGNED]
true
[ CERT_TRUST_HAS_PREFERRED_ISSUER]
true
-
ApplicationUsage
-
Usage
[ oid]
1.3.6.1.5.5.7.3.1
[ name]
Server Authentication
-
Usage
[ oid]
1.3.6.1.5.5.7.3.2
[ name]
Client Authentication
-
Usage
[ oid]
1.3.6.1.5.5.7.3.4
[ name]
Secure Email
-
Usage
[ oid]
1.3.6.1.5.5.7.3.3
[ name]
Code Signing
-
IssuanceUsage
[ any]
true
-
EventAuxInfo
[ ProcessName]
OUTLOOK.EXE
-
CorrelationAuxInfo
[ TaskId]
{879A183E-2806-4228-9FFA-6C32892DEB20}
[ SeqNumber]
3
-
Result
The certificate is not valid for the requested usage.
[ value]
800B0110
November 16th, 2010 7:55pm
Next one:
+
System
-
Provider
[ Name]
Microsoft-Windows-CAPI2
[ Guid]
{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID
30
Version
0
Level
2
Task
30
Opcode
0
Keywords
0x8000000000000001
-
TimeCreated
[ SystemTime]
2010-11-17T00:21:34.546Z
EventRecordID
32
Correlation
-
Execution
[ ProcessID]
20048
[ ThreadID]
20468
Channel
Microsoft-Windows-CAPI2/Operational
Computer
MRTERMS01.mrlabs.local
-
Security
[ UserID]
S-1-5-21-308129280-903786226-1972997838-1215
-
UserData
-
CertVerifyCertificateChainPolicy
-
Policy
[ type]
CERT_CHAIN_POLICY_SSL
[ constant]
4
-
Certificate
[ fileRef]
D3A04CC1D08B66B212F0B6CC73B24D853DF28A8E.cer
[ subjectName]
remote.ourdomain.com
-
CertificateChain
[ chainRef]
{7C632470-FA27-49E6-B593-B46AC5EB47B8}
-
Flags
[ value]
0
-
SSLAdditionalPolicyInfo
[ authType]
server
[ serverName]
remote.ourdomain.com
-
IgnoreFlags
[ value]
100
[ SECURITY_FLAG_IGNORE_UNKNOWN_CA]
true
-
Status
[ chainIndex]
0
[ elementIndex]
1
-
EventAuxInfo
[ ProcessName]
OUTLOOK.EXE
-
CorrelationAuxInfo
[ TaskId]
{879A183E-2806-4228-9FFA-6C32892DEB20}
[ SeqNumber]
4
-
Result
The certificate is not valid for the requested usage.
[ value]
800B0110
---------------------------------------
Next one:
-
System
-
Provider
[ Name]
Microsoft-Windows-CAPI2
[ Guid]
{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID
11
Version
0
Level
2
Task
11
Opcode
2
Keywords
0x8000000000000003
-
TimeCreated
[ SystemTime]
2010-11-17T00:32:39.740Z
EventRecordID
158
Correlation
-
Execution
[ ProcessID]
672
[ ThreadID]
776
Channel
Microsoft-Windows-CAPI2/Operational
Computer
ourserver.local
-
Security
[ UserID]
S-1-5-20
-
UserData
-
CertGetCertificateChain
-
Certificate
[ fileRef]
04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer
[ subjectName]
ourserver.local
ExtendedKeyUsage
-
Flags
[ value]
0
-
ChainEngineInfo
[ context]
user
-
CertificateChain
[ chainRef]
{7ED43D64-A4AE-41F9-A793-C13041EDF48D}
-
TrustStatus
-
ErrorStatus
[ value]
20
[ CERT_TRUST_IS_UNTRUSTED_ROOT]
true
-
InfoStatus
[ value]
100
[ CERT_TRUST_HAS_PREFERRED_ISSUER]
true
-
ChainElement
-
Certificate
[ fileRef]
04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer
[ subjectName]
ourserver.local
-
TrustStatus
-
ErrorStatus
[ value]
20
[ CERT_TRUST_IS_UNTRUSTED_ROOT]
true
-
InfoStatus
[ value]
10C
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER]
true
[ CERT_TRUST_IS_SELF_SIGNED]
true
[ CERT_TRUST_HAS_PREFERRED_ISSUER]
true
-
ApplicationUsage
-
Usage
[ oid]
1.3.6.1.5.5.7.3.1
[ name]
Server Authentication
-
IssuanceUsage
[ any]
true
-
EventAuxInfo
[ ProcessName]
lsass.exe
[ impersonateToken]
S-1-5-20
-
CorrelationAuxInfo
[ TaskId]
{5DBB1E4D-E3DA-4781-8115-42E5EF360C63}
[ SeqNumber]
3
-
Result
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
[ value]
800B0109
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 8:00pm
Another one:
-
System
-
Provider
[ Name]
Microsoft-Windows-CAPI2
[ Guid]
{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID
41
Version
0
Level
2
Task
41
Opcode
2
Keywords
0x8000000000000005
-
TimeCreated
[ SystemTime]
2010-11-17T00:32:39.741Z
EventRecordID
161
Correlation
-
Execution
[ ProcessID]
672
[ ThreadID]
776
Channel
Microsoft-Windows-CAPI2/Operational
Computer
ourserver.local
-
Security
[ UserID]
S-1-5-18
-
UserData
-
CertVerifyRevocation
-
Certificate
[ fileRef]
04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer
[ subjectName]
ourserver.local
-
IssuerCertificate
[ fileRef]
04D8DB488605053EF122EC6C43EDA96F2CBFA5BD.cer
[ subjectName]
ourserver.local
-
Flags
[ value]
8
[ CERT_VERIFY_REV_SERVER_OCSP_FLAG]
true
-
AdditionalParameters
[ timeToUse]
2010-11-17T00:32:39.740Z
[ currentTime]
2010-11-17T00:32:39.740Z
[ urlRetrievalTimeout]
PT15S
-
RevocationStatus
[ index]
0
[ error]
80092014
[ reason]
0
-
EventAuxInfo
[ ProcessName]
lsass.exe
-
CorrelationAuxInfo
[ TaskId]
{10DD696B-06A6-4CB0-9159-802D3FF2F7C7}
[ SeqNumber]
3
-
Result
The certificate is not in the revocation server's database.
[ value]
80092014
November 16th, 2010 8:01pm
Last one... For now.
-
System
-
Provider
[ Name]
Microsoft-Windows-CAPI2
[ Guid]
{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID
41
Version
0
Level
2
Task
41
Opcode
2
Keywords
0x8000000000000005
-
TimeCreated
[ SystemTime]
2010-11-17T00:34:50.890Z
EventRecordID
185
Correlation
-
Execution
[ ProcessID]
1724
[ ThreadID]
21592
Channel
Microsoft-Windows-CAPI2/Operational
Computer
ourserver.local
-
Security
[ UserID]
S-1-5-18
-
UserData
-
CertVerifyRevocation
-
Certificate
[ fileRef]
3DF7DF495F722105C67136836B8E7ECE0E51E66F.cer
[ subjectName]
Microsoft Windows
-
IssuerCertificate
[ fileRef]
5DF0D7571B0780783960C68B78571FFD7EDAF021.cer
[ subjectName]
Microsoft Windows Verification PCA
-
Flags
[ value]
2
[ CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION]
true
-
AdditionalParameters
[ timeToUse]
2008-01-19T07:45:24Z
[ currentTime]
2010-11-17T00:34:50.881Z
[ urlRetrievalTimeout]
PT15S
-
RevocationStatus
[ index]
0
[ error]
80092013
[ reason]
0
-
EventAuxInfo
[ ProcessName]
spoolsv.exe
-
CorrelationAuxInfo
[ TaskId]
{BEC12C3D-B911-4519-BFE9-95E74BD4BF1A}
[ SeqNumber]
6
-
Result
The revocation function was unable to check revocation because the revocation server was offline.
[ value]
80092013
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 8:02pm