Hello, While attempting to logon users receive a message indicating the revocation status of the domain controller certificate could not be determined. This occurs with one domain controller. Our Enterprise Administrators recently replaced the domain controller certificate from a SHA-1 signed certificate to a SHA-2 signed certificate. I know they revoked and then deleted the third-party domain controller certificate prior to requesting and installing the new certificate. Tumbleweed Desktop Validator is installed on both the domain controllers and the client machines. The event log for Tumbleweed on the client machines indicates the domain controller is presenting the revoked, deleted certificate to client machines. The CAPI stores were first checked using the Certificates Snap-in on the MMC and only one certificate was present. However, running the command certutil -viewdelstore my displayed the older certificate and it was selected for deletion. Also, the registry was checked to see if there was a remnant of the previous certificate and was not found - the key we looked at was HKLM/Microsoft/Windows/...System Certificates/My. If anyone knows of other places to look or why we are experiencing the issue your assistance would be appreciated. Thank you for your time and consideration. MagikD

Is the DC certificate issued by an ADCS enterprise CA or a third-party CA? Does all other DCs have a certificate from the same issuer with same class/type/template/policy? If the issuer is not an ADCS enterprise CA and the revocation information in terms of CRL and/or OCSP are not available internally then you might want to check if the availability of revocation information might be the problem. /Hasain

Hello, to Hasain: Third party certificate as stated. All certificates come from the same certificate provider. The domain controller is presenting the old certificate so I am not sure how CRL or OCSP availability comes into the equation here. The reason we receive the message stating the revoaction status of the domain controller certificate could not be determined is because Tumbleweed is not configured to validate that certificate/chain. The problem is the domain controller is presenting the old, deleted and revoked certificate and we need to find out why and how to correct. If the domain controller presented the correct certificate we would not be having the problem as Tumbleweed is configured to validate that certificate/chain. Thank you. MagikD

MagikD If your clients are running Windows XP or Server 2003 this article may help http://support.microsoft.com/kb/968730. Thanks, L Wurzbacher

MagikD, We can drop the revocation information as all other DCs have a certificate from the same issuer and are working properly. Have you simply restarted the DC to force the service holding the old certificate to reload an use the new one? /Hasain

Hello, We tried restarting the computer thinking that would force the server to use the newly installed certificate but that did not work for us. Our thinking was that the certificate became corrupt. The fix: The certificate was deleted from the local store using certutil. The server was then rebooted. Previously the certificate was installed through the MMC Certificates snap-in but this time certutil was used to re-install the certificate from a backup. After the certificate was re-installed, the server was rebooted. The domain controller is now serving up the proper certificate. Thank you for the replies. MagikD