I am having an strange problem, and I am honestly having a hard time finding a place to start troubleshooting. Maybe I can give some details and somebody can get me started in the right direction. Environment: WAN with several remote locations connected via ethernet. Server 2008 domain controllers (one at a remote DR location as a BDC), Exchange 2010 servers in a DAG cluster across 2 physical locations connected via 100mb ethernet. Mixture of Server 2008/2003 application servers. Multiple segmented subnets for different classes of machines (phones, pc's, etc) Mixture of XP/7 desktop clients, mostly XP. Problem: At random times random users will get a certificate popup message, asking them to accept a certificate. The odd thing is that it is a certificate for a consultant that we use, pointing towards their mail server. This has at times been accompanied by account lockouts, and sometimes not. It has been accompanied by (or at least coincidentally) mail failures, outlook freezing and asking for credentials. We have had at least 3 instances of multiple active directory user accounts getting locked out (like 1/3 of our ~200 users). That has actually happened before I personally ever noticed the certificate message. When a user gets the certificate error, we can go to our firewall and see where the client actually did access the mail server listed on the certificate for just a second. Can anyone point me in the right direction, or give me something to think about?

WAN with several remote locations connected via ethernet. Server 2008 domain controllers (one at a remote DR location as a BDC),There is no primary and secondary DC. All DCs are RW except RODCs. We have had at least 3 instances of multiple active directory user accounts getting locked out (like 1/3 of our ~200 users). That has actually happened before I personally ever noticed the certificate message. For the certificate message, check that certificate is approved. If it not from a trusted public CA, you can use group policies to validate it for clients: http://technet.microsoft.com/en-us/library/cc770315%28v=ws.10%29.aspx Also, the certificate SHOULD include all names (DNS and NetBIOS) in use for HTTPS access to your messaging platform. For lockout issues, I would recommend reading Paul's article about its troubleshooting: http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

I am having an strange problem, and I am honestly having a hard time finding a place to start troubleshooting. Maybe I can give some details and somebody can get me started in the right direction. Environment: WAN with several remote locations connected via ethernet. Server 2008 domain controllers (one at a remote DR location as a BDC), Exchange 2010 servers in a DAG cluster across 2 physical locations connected via 100mb ethernet. Mixture of Server 2008/2003 application servers. Multiple segmented subnets for different classes of machines (phones, pc's, etc) Mixture of XP/7 desktop clients, mostly XP. Problem: At random times random users will get a certificate popup message, asking them to accept a certificate. The odd thing is that it is a certificate for a consultant that we use, pointing towards their mail server. This has at times been accompanied by account lockouts, and sometimes not. It has been accompanied by (or at least coincidentally) mail failures, outlook freezing and asking for credentials. We have had at least 3 instances of multiple active directory user accounts getting locked out (like 1/3 of our ~200 users). That has actually happened before I personally ever noticed the certificate message. When a user gets the certificate error, we can go to our firewall and see where the client actually did access the mail server listed on the certificate for just a second. Can anyone point me in the right direction, or give me something to think about? EXCHANGE & CREDENTIAL PROMPTS Typically it means your Information Store jumped the gun, in most cases. Simply setting your MS EXCH InformationStore service at delayed auto-startup usually resolves this so that it doesn't prompt for credentials after a reboot. Just restarting the information store now will fix the present issue for credential prompting. SSL ERROR I'm not 100% sure how your DNS is setup to give you best suggestion on why you might be getting an HTTPS error for your Discovery hosts... Are these self-signed certificates or are they SAN/Wildcard Certs? Could you post the error or a modified example of the error? (depending on your corp. policies) Best Regards, Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator Microsoft Community Contributor Award 2011 All opinions expressed on my own behalf and not that of my company. This posting is "as is" without warranties and confers no rights

i'd hate to post a picture of it, as it does not belong to my company. it is a valid SAN https sert though, not a self-signed one. it is NOT a certificate that is installed on our server! i don't believe the certificate is the problem, it is instead the manifestation of the problem, whatever that may be.

Hi, I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

you mentioned many issues such as "certificate message", lockout, mail failures, outlook freezing and asking for credentials, I do not know if they are relative. Please let me konw your main concern. what is the certificate message? please provide a screenshot to show me the message. Thanks. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

you mentioned many issues such as "certificate message", lockout, mail failures, outlook freezing and asking for credentials, I do not know if they are relative. Please let me konw your main concern. what is the certificate message? please provide a screenshot to show me the message. Thanks. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.