weird certificate/active directory/network access problem
I am having an strange problem, and I am honestly having a hard time finding a place to start troubleshooting. Maybe I can give some details and somebody can get me started in the right direction.
Environment:
WAN with several remote locations connected via ethernet. Server 2008 domain controllers (one at a remote DR location as a BDC), Exchange 2010 servers in a DAG cluster across 2 physical locations connected via 100mb ethernet. Mixture of Server
2008/2003 application servers. Multiple segmented subnets for different classes of machines (phones, pc's, etc) Mixture of XP/7 desktop clients, mostly XP.
Problem:
At random times random users will get a certificate popup message, asking them to accept a certificate. The odd thing is that it is a certificate for a consultant that we use, pointing towards their mail server. This has at times been accompanied
by account lockouts, and sometimes not. It has been accompanied by (or at least coincidentally) mail failures, outlook freezing and asking for credentials.
We have had at least 3 instances of multiple active directory user accounts getting locked out (like 1/3 of our ~200 users). That has actually happened before I personally ever noticed the certificate message.
When a user gets the certificate error, we can go to our firewall and see where the client actually did access the mail server listed on the certificate for just a second.
Can anyone point me in the right direction, or give me something to think about?
August 13th, 2012 10:00am
WAN with several remote locations connected via ethernet. Server 2008 domain controllers (one at a remote DR location as a BDC),There is no primary and secondary DC. All DCs are RW except RODCs.
We have had at least 3 instances of multiple active directory user accounts getting locked out (like 1/3 of our ~200 users). That has actually happened before I personally ever noticed the certificate message.
For the certificate message, check that certificate is approved. If it not from a trusted public CA, you can use group policies to validate it for clients: http://technet.microsoft.com/en-us/library/cc770315%28v=ws.10%29.aspx
Also, the certificate SHOULD include all names (DNS and NetBIOS) in use for HTTPS access to your messaging platform.
For lockout issues, I would recommend reading Paul's article about its troubleshooting: http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2012 10:09am
I am having an strange problem, and I am honestly having a hard time finding a place to start troubleshooting. Maybe I can give some details and somebody can get me started in the right direction.
Environment:
WAN with several remote locations connected via ethernet. Server 2008 domain controllers (one at a remote DR location as a BDC), Exchange 2010 servers in a DAG cluster across 2 physical locations connected via 100mb ethernet. Mixture of Server
2008/2003 application servers. Multiple segmented subnets for different classes of machines (phones, pc's, etc) Mixture of XP/7 desktop clients, mostly XP.
Problem:
At random times random users will get a certificate popup message, asking them to accept a certificate. The odd thing is that it is a certificate for a consultant that we use, pointing towards their mail server. This has at times been accompanied
by account lockouts, and sometimes not. It has been accompanied by (or at least coincidentally) mail failures, outlook freezing and asking for credentials.
We have had at least 3 instances of multiple active directory user accounts getting locked out (like 1/3 of our ~200 users). That has actually happened before I personally ever noticed the certificate message.
When a user gets the certificate error, we can go to our firewall and see where the client actually did access the mail server listed on the certificate for just a second.
Can anyone point me in the right direction, or give me something to think about?
EXCHANGE & CREDENTIAL PROMPTS
Typically it means your Information Store jumped the gun, in most cases. Simply setting your MS EXCH InformationStore service at delayed auto-startup usually resolves this so that it doesn't prompt for credentials after a reboot. Just restarting
the information store now will fix the present issue for credential prompting.
SSL ERROR
I'm not 100% sure how your DNS is setup to give you best suggestion on why you might be getting an HTTPS error for your Discovery hosts... Are these self-signed certificates or are they SAN/Wildcard Certs?
Could you post the error or a modified example of the error? (depending on your corp. policies)
Best Regards,
Steve Kline
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
Microsoft Certified Product Specialist & Network Product Specialist
Red Hat Certified System Administrator
Microsoft Community Contributor Award 2011
All opinions expressed on my own behalf and not that of my company.
This posting is "as is" without warranties and confers no rights
August 13th, 2012 11:32am
i'd hate to post a picture of it, as it does not belong to my company. it is a valid SAN https sert though, not a self-signed one. it is NOT a certificate that is installed on our server!
i don't believe the certificate is the problem, it is instead the manifestation of the problem, whatever that may be.
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2012 2:24pm
Hi,
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
August 14th, 2012 9:36pm
you mentioned many issues such as "certificate message", lockout, mail failures, outlook freezing and asking for credentials, I do not know if they are relative. Please let me konw your main concern.
what is the certificate message? please provide a screenshot to show me the message. Thanks.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2012 5:05am
you mentioned many issues such as "certificate message", lockout, mail failures, outlook freezing and asking for credentials, I do not know if they are relative. Please let me konw your main concern.
what is the certificate message? please provide a screenshot to show me the message. Thanks.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 15th, 2012 5:07am