Microsoft Operating System Forum

Adrian Marsh (NNTP)

Hi All,

Posting in both SBS and general server as this applies to both.

I've a transition-packed SBS 2003 server, and I need to understand the
different types of certificates involved in Domain usage. For example,
yesterday I setup a linux server that makes LDAPS requests to our SBS
server for authentication, all worked fine. Today its failing, and when
I examined the LDAPS traffic I can see it believes the certificate has
expired. Checking the certificate identified, I find it actually has, on
the 7 Aug 08.

The certificate in question is based on the Domain Controller
(DomainController) template in the SBS CA.

Theres a three of those certificates listed as Issued, expiring 18 Sep
06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

So as I've not created these myself, obviously SERVERNAME has done it
automatically (but how? - when ? - what service did this?)

This raises 3 questions for me:

1) Why is the LDAPS lookup using the expired certificate, as opposed to
the one thats in-service.
2) IMPORTANT - How to fix the issue - do I revoke the old expired
certificates? Will that break anything else? Why is the linux server
using this specific certificate ?
3) What other certificates are there for me to worry about (for domain
stuff) ?

Comments Appreciated


Adrian

Adrian Marsh (NNTP)

Can anyone help with this?



Adrian Marsh (NNTP) wrote:
> Hi All,
>
> Posting in both SBS and general server as this applies to both.
>
> I've a transition-packed SBS 2003 server, and I need to understand the
> different types of certificates involved in Domain usage. For example,
> yesterday I setup a linux server that makes LDAPS requests to our SBS
> server for authentication, all worked fine. Today its failing, and when
> I examined the LDAPS traffic I can see it believes the certificate has
> expired. Checking the certificate identified, I find it actually has, on
> the 7 Aug 08.
>
> The certificate in question is based on the Domain Controller
> (DomainController) template in the SBS CA.
>
> Theres a three of those certificates listed as Issued, expiring 18 Sep
> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>
> So as I've not created these myself, obviously SERVERNAME has done it
> automatically (but how? - when ? - what service did this?)
>
> This raises 3 questions for me:
>
> 1) Why is the LDAPS lookup using the expired certificate, as opposed to
> the one thats in-service.
> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
> certificates? Will that break anything else? Why is the linux server
> using this specific certificate ?
> 3) What other certificates are there for me to worry about (for domain
> stuff) ?
>
> Comments Appreciated
>
>
> Adrian

Cliff Galiher

Inline:

-Cliff

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
> Hi All,
>
> Posting in both SBS and general server as this applies to both.
>
> I've a transition-packed SBS 2003 server, and I need to understand the
> different types of certificates involved in Domain usage. For example,
> yesterday I setup a linux server that makes LDAPS requests to our SBS
> server for authentication, all worked fine. Today its failing, and when I
> examined the LDAPS traffic I can see it believes the certificate has
> expired. Checking the certificate identified, I find it actually has, on
> the 7 Aug 08.
>
> The certificate in question is based on the Domain Controller
> (DomainController) template in the SBS CA.
>
> Theres a three of those certificates listed as Issued, expiring 18 Sep 06,
> 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>
> So as I've not created these myself, obviously SERVERNAME has done it
> automatically (but how? - when ? - what service did this?)
DC certificates are installed whenever a significant OS change occurs.
During the machine's install, for example. If you did a migration or had to
do a bare metal restore, another one would've been generated. Or if you
installed or re-installed the "Certificate Authority" windows component.

> This raises 3 questions for me:
>
> 1) Why is the LDAPS lookup using the expired certificate, as opposed to
> the one thats in-service.
It shouldn't be, but it is easy to fix. Delete the certificates no longer
in use.

> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
> certificates? Will that break anything else? Why is the linux server
> using this specific certificate ?
I see no reason to revoke them. They are expired after all. Just delete
them from the personal store via certificate services (not CA services.)

> 3) What other certificates are there for me to worry about (for domain
> stuff) ?
None.



> Comments Appreciated
>
>
> Adrian

Adrian Marsh (NNTP)

Hi Cliff,

When you say delete the certificates, do you mean on the CA server
itself? or do you mean on the clients? (i.e. some Linux cache - that
I've not been able to find..)

I'm not 100% sure about the mechanisms used in the cert process - does
the client store any details about the DC certficate it used, in a cache
somewhere? From the wireshark traces, it seems to me that the Server
store offers the certificate to the client upon some request, who in
turn then rejects it because of the date... so it looks to me as though
the client has no cache at all (which would support then just deleting
the Cert from the store).

Obviously deleting the Cert from my domain controllers makes me a little
nervous... even if they are expired...

I did revoke the certificate, but it still seems to be "offering" that
expired one, which I didnt expect it to do, unless the client has
specifically asking for that one, hence the questions.

Thanks,

Adrian

Cliff Galiher wrote:
> Inline:
>
> -Cliff
>
> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
>> Hi All,
>>
>> Posting in both SBS and general server as this applies to both.
>>
>> I've a transition-packed SBS 2003 server, and I need to understand the
>> different types of certificates involved in Domain usage. For example,
>> yesterday I setup a linux server that makes LDAPS requests to our SBS
>> server for authentication, all worked fine. Today its failing, and
>> when I examined the LDAPS traffic I can see it believes the
>> certificate has expired. Checking the certificate identified, I find
>> it actually has, on the 7 Aug 08.
>>
>> The certificate in question is based on the Domain Controller
>> (DomainController) template in the SBS CA.
>>
>> Theres a three of those certificates listed as Issued, expiring 18 Sep
>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>
>> So as I've not created these myself, obviously SERVERNAME has done it
>> automatically (but how? - when ? - what service did this?)
> DC certificates are installed whenever a significant OS change occurs.
> During the machine's install, for example. If you did a migration or
> had to do a bare metal restore, another one would've been generated. Or
> if you installed or re-installed the "Certificate Authority" windows
> component.
>
>> This raises 3 questions for me:
>>
>> 1) Why is the LDAPS lookup using the expired certificate, as opposed
>> to the one thats in-service.
> It shouldn't be, but it is easy to fix. Delete the certificates no
> longer in use.
>
>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>> certificates? Will that break anything else? Why is the linux server
>> using this specific certificate ?
> I see no reason to revoke them. They are expired after all. Just
> delete them from the personal store via certificate services (not CA
> services.)
>
>> 3) What other certificates are there for me to worry about (for domain
>> stuff) ?
> None.
>
>
>
>> Comments Appreciated
>>
>>
>> Adrian
>

Cliff Galiher

Deleting from the server should be sufficient.

A good caching mechanism still connects to the server and asks about
pertinent file info (size, modified date, etc) to see if the cached version
is stale. If the server offers a new certificate, then obviously the cache
should discard the old one.

Good luck!

-Cliff

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:48A3F75A.5060407@_removeme_ubiquisys.com...
> Hi Cliff,
>
> When you say delete the certificates, do you mean on the CA server itself?
> or do you mean on the clients? (i.e. some Linux cache - that I've not been
> able to find..)
>
> I'm not 100% sure about the mechanisms used in the cert process - does the
> client store any details about the DC certficate it used, in a cache
> somewhere? From the wireshark traces, it seems to me that the Server
> store offers the certificate to the client upon some request, who in turn
> then rejects it because of the date... so it looks to me as though the
> client has no cache at all (which would support then just deleting the
> Cert from the store).
>
> Obviously deleting the Cert from my domain controllers makes me a little
> nervous... even if they are expired...
>
> I did revoke the certificate, but it still seems to be "offering" that
> expired one, which I didnt expect it to do, unless the client has
> specifically asking for that one, hence the questions.
>
> Thanks,
>
> Adrian
>
> Cliff Galiher wrote:
>> Inline:
>>
>> -Cliff
>>
>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
>>> Hi All,
>>>
>>> Posting in both SBS and general server as this applies to both.
>>>
>>> I've a transition-packed SBS 2003 server, and I need to understand the
>>> different types of certificates involved in Domain usage. For example,
>>> yesterday I setup a linux server that makes LDAPS requests to our SBS
>>> server for authentication, all worked fine. Today its failing, and when
>>> I examined the LDAPS traffic I can see it believes the certificate has
>>> expired. Checking the certificate identified, I find it actually has, on
>>> the 7 Aug 08.
>>>
>>> The certificate in question is based on the Domain Controller
>>> (DomainController) template in the SBS CA.
>>>
>>> Theres a three of those certificates listed as Issued, expiring 18 Sep
>>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>
>>> So as I've not created these myself, obviously SERVERNAME has done it
>>> automatically (but how? - when ? - what service did this?)
>> DC certificates are installed whenever a significant OS change occurs.
>> During the machine's install, for example. If you did a migration or had
>> to do a bare metal restore, another one would've been generated. Or if
>> you installed or re-installed the "Certificate Authority" windows
>> component.
>>
>>> This raises 3 questions for me:
>>>
>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed to
>>> the one thats in-service.
>> It shouldn't be, but it is easy to fix. Delete the certificates no
>> longer in use.
>>
>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>> certificates? Will that break anything else? Why is the linux server
>>> using this specific certificate ?
>> I see no reason to revoke them. They are expired after all. Just delete
>> them from the personal store via certificate services (not CA services.)
>>
>>> 3) What other certificates are there for me to worry about (for domain
>>> stuff) ?
>> None.
>>
>>
>>
>>> Comments Appreciated
>>>
>>>
>>> Adrian
>>

Adrian Marsh (NNTP)

Hmmm... dont seem to have that option anymore (the cert doesnt appear in
the Certificates (Local Computer) under Personal -> Certificates as the
current one does.

Its listed under Revoked in the CA, but I cant restore it as apparently
I didnt choose "Cerificate Hold" when I revoked it..

http://technet.microsoft.com/en-us/l.../cc783979.aspx


Cliff Galiher wrote:
> Deleting from the server should be sufficient.
>
> A good caching mechanism still connects to the server and asks about
> pertinent file info (size, modified date, etc) to see if the cached
> version is stale. If the server offers a new certificate, then
> obviously the cache should discard the old one.
>
> Good luck!
>
> -Cliff
>
> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>> Hi Cliff,
>>
>> When you say delete the certificates, do you mean on the CA server
>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>> I've not been able to find..)
>>
>> I'm not 100% sure about the mechanisms used in the cert process - does
>> the client store any details about the DC certficate it used, in a
>> cache somewhere? From the wireshark traces, it seems to me that the
>> Server store offers the certificate to the client upon some request,
>> who in turn then rejects it because of the date... so it looks to me
>> as though the client has no cache at all (which would support then
>> just deleting the Cert from the store).
>>
>> Obviously deleting the Cert from my domain controllers makes me a
>> little nervous... even if they are expired...
>>
>> I did revoke the certificate, but it still seems to be "offering" that
>> expired one, which I didnt expect it to do, unless the client has
>> specifically asking for that one, hence the questions.
>>
>> Thanks,
>>
>> Adrian
>>
>> Cliff Galiher wrote:
>>> Inline:
>>>
>>> -Cliff
>>>
>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
>>>> Hi All,
>>>>
>>>> Posting in both SBS and general server as this applies to both.
>>>>
>>>> I've a transition-packed SBS 2003 server, and I need to understand
>>>> the different types of certificates involved in Domain usage. For
>>>> example, yesterday I setup a linux server that makes LDAPS requests
>>>> to our SBS server for authentication, all worked fine. Today its
>>>> failing, and when I examined the LDAPS traffic I can see it believes
>>>> the certificate has expired. Checking the certificate identified, I
>>>> find it actually has, on the 7 Aug 08.
>>>>
>>>> The certificate in question is based on the Domain Controller
>>>> (DomainController) template in the SBS CA.
>>>>
>>>> Theres a three of those certificates listed as Issued, expiring 18
>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>
>>>> So as I've not created these myself, obviously SERVERNAME has done
>>>> it automatically (but how? - when ? - what service did this?)
>>> DC certificates are installed whenever a significant OS change
>>> occurs. During the machine's install, for example. If you did a
>>> migration or had to do a bare metal restore, another one would've
>>> been generated. Or if you installed or re-installed the "Certificate
>>> Authority" windows component.
>>>
>>>> This raises 3 questions for me:
>>>>
>>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed
>>>> to the one thats in-service.
>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>> longer in use.
>>>
>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>> certificates? Will that break anything else? Why is the linux
>>>> server using this specific certificate ?
>>> I see no reason to revoke them. They are expired after all. Just
>>> delete them from the personal store via certificate services (not CA
>>> services.)
>>>
>>>> 3) What other certificates are there for me to worry about (for
>>>> domain stuff) ?
>>> None.
>>>
>>>
>>>
>>>> Comments Appreciated
>>>>
>>>>
>>>> Adrian
>>>
>

Cliff Galiher

If it isn't on your server then your server can't be offering it anymore.
Might be time to start looking for cached files in a proxy server
somewhere...

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
> Hmmm... dont seem to have that option anymore (the cert doesnt appear in
> the Certificates (Local Computer) under Personal -> Certificates as the
> current one does.
>
> Its listed under Revoked in the CA, but I cant restore it as apparently I
> didnt choose "Cerificate Hold" when I revoked it..
>
> http://technet.microsoft.com/en-us/l.../cc783979.aspx
>
>
> Cliff Galiher wrote:
>> Deleting from the server should be sufficient.
>>
>> A good caching mechanism still connects to the server and asks about
>> pertinent file info (size, modified date, etc) to see if the cached
>> version is stale. If the server offers a new certificate, then obviously
>> the cache should discard the old one.
>>
>> Good luck!
>>
>> -Cliff
>>
>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>> Hi Cliff,
>>>
>>> When you say delete the certificates, do you mean on the CA server
>>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>>> I've not been able to find..)
>>>
>>> I'm not 100% sure about the mechanisms used in the cert process - does
>>> the client store any details about the DC certficate it used, in a cache
>>> somewhere? From the wireshark traces, it seems to me that the Server
>>> store offers the certificate to the client upon some request, who in
>>> turn then rejects it because of the date... so it looks to me as though
>>> the client has no cache at all (which would support then just deleting
>>> the Cert from the store).
>>>
>>> Obviously deleting the Cert from my domain controllers makes me a little
>>> nervous... even if they are expired...
>>>
>>> I did revoke the certificate, but it still seems to be "offering" that
>>> expired one, which I didnt expect it to do, unless the client has
>>> specifically asking for that one, hence the questions.
>>>
>>> Thanks,
>>>
>>> Adrian
>>>
>>> Cliff Galiher wrote:
>>>> Inline:
>>>>
>>>> -Cliff
>>>>
>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
>>>>> Hi All,
>>>>>
>>>>> Posting in both SBS and general server as this applies to both.
>>>>>
>>>>> I've a transition-packed SBS 2003 server, and I need to understand the
>>>>> different types of certificates involved in Domain usage. For example,
>>>>> yesterday I setup a linux server that makes LDAPS requests to our SBS
>>>>> server for authentication, all worked fine. Today its failing, and
>>>>> when I examined the LDAPS traffic I can see it believes the
>>>>> certificate has expired. Checking the certificate identified, I find
>>>>> it actually has, on the 7 Aug 08.
>>>>>
>>>>> The certificate in question is based on the Domain Controller
>>>>> (DomainController) template in the SBS CA.
>>>>>
>>>>> Theres a three of those certificates listed as Issued, expiring 18 Sep
>>>>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>
>>>>> So as I've not created these myself, obviously SERVERNAME has done it
>>>>> automatically (but how? - when ? - what service did this?)
>>>> DC certificates are installed whenever a significant OS change occurs.
>>>> During the machine's install, for example. If you did a migration or
>>>> had to do a bare metal restore, another one would've been generated.
>>>> Or if you installed or re-installed the "Certificate Authority" windows
>>>> component.
>>>>
>>>>> This raises 3 questions for me:
>>>>>
>>>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed
>>>>> to the one thats in-service.
>>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>>> longer in use.
>>>>
>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>> certificates? Will that break anything else? Why is the linux server
>>>>> using this specific certificate ?
>>>> I see no reason to revoke them. They are expired after all. Just
>>>> delete them from the personal store via certificate services (not CA
>>>> services.)
>>>>
>>>>> 3) What other certificates are there for me to worry about (for domain
>>>>> stuff) ?
>>>> None.
>>>>
>>>>
>>>>
>>>>> Comments Appreciated
>>>>>
>>>>>
>>>>> Adrian
>>>>
>>

Adrian Marsh (NNTP)

Hmmm... magically seems to resolved itself over the weekend.

I had two devices suffering... a Konica printer doing LDAPS lookups and
the Centos (OPENLDAP) client. On friday both were being returned the old
certificate for validation (and failing)... today both work ok...


Cliff Galiher wrote:
> If it isn't on your server then your server can't be offering it
> anymore. Might be time to start looking for cached files in a proxy
> server somewhere...
>
> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
>> Hmmm... dont seem to have that option anymore (the cert doesnt appear
>> in the Certificates (Local Computer) under Personal -> Certificates as
>> the current one does.
>>
>> Its listed under Revoked in the CA, but I cant restore it as
>> apparently I didnt choose "Cerificate Hold" when I revoked it..
>>
>> http://technet.microsoft.com/en-us/l.../cc783979.aspx
>>
>>
>> Cliff Galiher wrote:
>>> Deleting from the server should be sufficient.
>>>
>>> A good caching mechanism still connects to the server and asks about
>>> pertinent file info (size, modified date, etc) to see if the cached
>>> version is stale. If the server offers a new certificate, then
>>> obviously the cache should discard the old one.
>>>
>>> Good luck!
>>>
>>> -Cliff
>>>
>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>>> Hi Cliff,
>>>>
>>>> When you say delete the certificates, do you mean on the CA server
>>>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>>>> I've not been able to find..)
>>>>
>>>> I'm not 100% sure about the mechanisms used in the cert process -
>>>> does the client store any details about the DC certficate it used,
>>>> in a cache somewhere? From the wireshark traces, it seems to me
>>>> that the Server store offers the certificate to the client upon some
>>>> request, who in turn then rejects it because of the date... so it
>>>> looks to me as though the client has no cache at all (which would
>>>> support then just deleting the Cert from the store).
>>>>
>>>> Obviously deleting the Cert from my domain controllers makes me a
>>>> little nervous... even if they are expired...
>>>>
>>>> I did revoke the certificate, but it still seems to be "offering"
>>>> that expired one, which I didnt expect it to do, unless the client
>>>> has specifically asking for that one, hence the questions.
>>>>
>>>> Thanks,
>>>>
>>>> Adrian
>>>>
>>>> Cliff Galiher wrote:
>>>>> Inline:
>>>>>
>>>>> -Cliff
>>>>>
>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
>>>>>> Hi All,
>>>>>>
>>>>>> Posting in both SBS and general server as this applies to both.
>>>>>>
>>>>>> I've a transition-packed SBS 2003 server, and I need to understand
>>>>>> the different types of certificates involved in Domain usage. For
>>>>>> example, yesterday I setup a linux server that makes LDAPS
>>>>>> requests to our SBS server for authentication, all worked fine.
>>>>>> Today its failing, and when I examined the LDAPS traffic I can see
>>>>>> it believes the certificate has expired. Checking the certificate
>>>>>> identified, I find it actually has, on the 7 Aug 08.
>>>>>>
>>>>>> The certificate in question is based on the Domain Controller
>>>>>> (DomainController) template in the SBS CA.
>>>>>>
>>>>>> Theres a three of those certificates listed as Issued, expiring 18
>>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>>
>>>>>> So as I've not created these myself, obviously SERVERNAME has done
>>>>>> it automatically (but how? - when ? - what service did this?)
>>>>> DC certificates are installed whenever a significant OS change
>>>>> occurs. During the machine's install, for example. If you did a
>>>>> migration or had to do a bare metal restore, another one would've
>>>>> been generated. Or if you installed or re-installed the
>>>>> "Certificate Authority" windows component.
>>>>>
>>>>>> This raises 3 questions for me:
>>>>>>
>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as
>>>>>> opposed to the one thats in-service.
>>>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>>>> longer in use.
>>>>>
>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>>> certificates? Will that break anything else? Why is the linux
>>>>>> server using this specific certificate ?
>>>>> I see no reason to revoke them. They are expired after all. Just
>>>>> delete them from the personal store via certificate services (not
>>>>> CA services.)
>>>>>
>>>>>> 3) What other certificates are there for me to worry about (for
>>>>>> domain stuff) ?
>>>>> None.
>>>>>
>>>>>
>>>>>
>>>>>> Comments Appreciated
>>>>>>
>>>>>>
>>>>>> Adrian
>>>>>
>>>
>

Adrian Marsh (NNTP)

Hi Cliff

Damn.... Its back again...

Just to be clear... when you talk about viewing the certs themselves on
the server... and you dont mean the CA (which it is in, listed as
revoked), where do you mean?



Adrian Marsh (NNTP) wrote:
> Hmmm... magically seems to resolved itself over the weekend.
>
> I had two devices suffering... a Konica printer doing LDAPS lookups and
> the Centos (OPENLDAP) client. On friday both were being returned the old
> certificate for validation (and failing)... today both work ok...
>
>
> Cliff Galiher wrote:
>> If it isn't on your server then your server can't be offering it
>> anymore. Might be time to start looking for cached files in a proxy
>> server somewhere...
>>
>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
>>> Hmmm... dont seem to have that option anymore (the cert doesnt appear
>>> in the Certificates (Local Computer) under Personal -> Certificates
>>> as the current one does.
>>>
>>> Its listed under Revoked in the CA, but I cant restore it as
>>> apparently I didnt choose "Cerificate Hold" when I revoked it..
>>>
>>> http://technet.microsoft.com/en-us/l.../cc783979.aspx
>>>
>>>
>>> Cliff Galiher wrote:
>>>> Deleting from the server should be sufficient.
>>>>
>>>> A good caching mechanism still connects to the server and asks about
>>>> pertinent file info (size, modified date, etc) to see if the cached
>>>> version is stale. If the server offers a new certificate, then
>>>> obviously the cache should discard the old one.
>>>>
>>>> Good luck!
>>>>
>>>> -Cliff
>>>>
>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>> in message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>>>> Hi Cliff,
>>>>>
>>>>> When you say delete the certificates, do you mean on the CA server
>>>>> itself? or do you mean on the clients? (i.e. some Linux cache -
>>>>> that I've not been able to find..)
>>>>>
>>>>> I'm not 100% sure about the mechanisms used in the cert process -
>>>>> does the client store any details about the DC certficate it used,
>>>>> in a cache somewhere? From the wireshark traces, it seems to me
>>>>> that the Server store offers the certificate to the client upon
>>>>> some request, who in turn then rejects it because of the date... so
>>>>> it looks to me as though the client has no cache at all (which
>>>>> would support then just deleting the Cert from the store).
>>>>>
>>>>> Obviously deleting the Cert from my domain controllers makes me a
>>>>> little nervous... even if they are expired...
>>>>>
>>>>> I did revoke the certificate, but it still seems to be "offering"
>>>>> that expired one, which I didnt expect it to do, unless the client
>>>>> has specifically asking for that one, hence the questions.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Adrian
>>>>>
>>>>> Cliff Galiher wrote:
>>>>>> Inline:
>>>>>>
>>>>>> -Cliff
>>>>>>
>>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
>>>>>>> Hi All,
>>>>>>>
>>>>>>> Posting in both SBS and general server as this applies to both.
>>>>>>>
>>>>>>> I've a transition-packed SBS 2003 server, and I need to
>>>>>>> understand the different types of certificates involved in Domain
>>>>>>> usage. For example, yesterday I setup a linux server that makes
>>>>>>> LDAPS requests to our SBS server for authentication, all worked
>>>>>>> fine. Today its failing, and when I examined the LDAPS traffic I
>>>>>>> can see it believes the certificate has expired. Checking the
>>>>>>> certificate identified, I find it actually has, on the 7 Aug 08.
>>>>>>>
>>>>>>> The certificate in question is based on the Domain Controller
>>>>>>> (DomainController) template in the SBS CA.
>>>>>>>
>>>>>>> Theres a three of those certificates listed as Issued, expiring
>>>>>>> 18 Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>>>
>>>>>>> So as I've not created these myself, obviously SERVERNAME has
>>>>>>> done it automatically (but how? - when ? - what service did this?)
>>>>>> DC certificates are installed whenever a significant OS change
>>>>>> occurs. During the machine's install, for example. If you did a
>>>>>> migration or had to do a bare metal restore, another one would've
>>>>>> been generated. Or if you installed or re-installed the
>>>>>> "Certificate Authority" windows component.
>>>>>>
>>>>>>> This raises 3 questions for me:
>>>>>>>
>>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as
>>>>>>> opposed to the one thats in-service.
>>>>>> It shouldn't be, but it is easy to fix. Delete the certificates
>>>>>> no longer in use.
>>>>>>
>>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>>>> certificates? Will that break anything else? Why is the linux
>>>>>>> server using this specific certificate ?
>>>>>> I see no reason to revoke them. They are expired after all. Just
>>>>>> delete them from the personal store via certificate services (not
>>>>>> CA services.)
>>>>>>
>>>>>>> 3) What other certificates are there for me to worry about (for
>>>>>>> domain stuff) ?
>>>>>> None.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Comments Appreciated
>>>>>>>
>>>>>>>
>>>>>>> Adrian
>>>>>>
>>>>
>>

Les Connor [SBS MVP]

Any chance of posting events from the event logs that might be related?

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:48AC63F1.2070504@_removeme_ubiquisys.com...
> Hi Cliff
>
> Damn.... Its back again...
>
> Just to be clear... when you talk about viewing the certs themselves on
> the server... and you dont mean the CA (which it is in, listed as
> revoked), where do you mean?
>
>
>
> Adrian Marsh (NNTP) wrote:
>> Hmmm... magically seems to resolved itself over the weekend.
>>
>> I had two devices suffering... a Konica printer doing LDAPS lookups and
>> the Centos (OPENLDAP) client. On friday both were being returned the old
>> certificate for validation (and failing)... today both work ok...
>>
>>
>> Cliff Galiher wrote:
>>> If it isn't on your server then your server can't be offering it
>>> anymore. Might be time to start looking for cached files in a proxy
>>> server somewhere...
>>>
>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
>>>> Hmmm... dont seem to have that option anymore (the cert doesnt appear
>>>> in the Certificates (Local Computer) under Personal -> Certificates as
>>>> the current one does.
>>>>
>>>> Its listed under Revoked in the CA, but I cant restore it as apparently
>>>> I didnt choose "Cerificate Hold" when I revoked it..
>>>>
>>>> http://technet.microsoft.com/en-us/l.../cc783979.aspx
>>>>
>>>>
>>>> Cliff Galiher wrote:
>>>>> Deleting from the server should be sufficient.
>>>>>
>>>>> A good caching mechanism still connects to the server and asks about
>>>>> pertinent file info (size, modified date, etc) to see if the cached
>>>>> version is stale. If the server offers a new certificate, then
>>>>> obviously the cache should discard the old one.
>>>>>
>>>>> Good luck!
>>>>>
>>>>> -Cliff
>>>>>
>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>>>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>>>>> Hi Cliff,
>>>>>>
>>>>>> When you say delete the certificates, do you mean on the CA server
>>>>>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>>>>>> I've not been able to find..)
>>>>>>
>>>>>> I'm not 100% sure about the mechanisms used in the cert process -
>>>>>> does the client store any details about the DC certficate it used, in
>>>>>> a cache somewhere? From the wireshark traces, it seems to me that
>>>>>> the Server store offers the certificate to the client upon some
>>>>>> request, who in turn then rejects it because of the date... so it
>>>>>> looks to me as though the client has no cache at all (which would
>>>>>> support then just deleting the Cert from the store).
>>>>>>
>>>>>> Obviously deleting the Cert from my domain controllers makes me a
>>>>>> little nervous... even if they are expired...
>>>>>>
>>>>>> I did revoke the certificate, but it still seems to be "offering"
>>>>>> that expired one, which I didnt expect it to do, unless the client
>>>>>> has specifically asking for that one, hence the questions.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Adrian
>>>>>>
>>>>>> Cliff Galiher wrote:
>>>>>>> Inline:
>>>>>>>
>>>>>>> -Cliff
>>>>>>>
>>>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl.. .
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> Posting in both SBS and general server as this applies to both.
>>>>>>>>
>>>>>>>> I've a transition-packed SBS 2003 server, and I need to understand
>>>>>>>> the different types of certificates involved in Domain usage. For
>>>>>>>> example, yesterday I setup a linux server that makes LDAPS requests
>>>>>>>> to our SBS server for authentication, all worked fine. Today its
>>>>>>>> failing, and when I examined the LDAPS traffic I can see it
>>>>>>>> believes the certificate has expired. Checking the certificate
>>>>>>>> identified, I find it actually has, on the 7 Aug 08.
>>>>>>>>
>>>>>>>> The certificate in question is based on the Domain Controller
>>>>>>>> (DomainController) template in the SBS CA.
>>>>>>>>
>>>>>>>> Theres a three of those certificates listed as Issued, expiring 18
>>>>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>>>>
>>>>>>>> So as I've not created these myself, obviously SERVERNAME has done
>>>>>>>> it automatically (but how? - when ? - what service did this?)
>>>>>>> DC certificates are installed whenever a significant OS change
>>>>>>> occurs. During the machine's install, for example. If you did a
>>>>>>> migration or had to do a bare metal restore, another one would've
>>>>>>> been generated. Or if you installed or re-installed the "Certificate
>>>>>>> Authority" windows component.
>>>>>>>
>>>>>>>> This raises 3 questions for me:
>>>>>>>>
>>>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as
>>>>>>>> opposed to the one thats in-service.
>>>>>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>>>>>> longer in use.
>>>>>>>
>>>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>>>>> certificates? Will that break anything else? Why is the linux
>>>>>>>> server using this specific certificate ?
>>>>>>> I see no reason to revoke them. They are expired after all. Just
>>>>>>> delete them from the personal store via certificate services (not CA
>>>>>>> services.)
>>>>>>>
>>>>>>>> 3) What other certificates are there for me to worry about (for
>>>>>>>> domain stuff) ?
>>>>>>> None.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Comments Appreciated
>>>>>>>>
>>>>>>>>
>>>>>>>> Adrian
>>>>>>>
>>>>>
>>>