[NTSysADM] RE: DC's and certs.

Tue, 02 Feb 2016 10:51:37 -0800 

It is lack of root cert updates for sure.  I can see tem hitting the update 
site for MS for these in the web filter log. And the revocation site also.

https://sls.update.microsoft.com
http://crl.microsoft.com

GPO’s are virtually identical but I rechecked them.  Only diff is settings for 
auditing log on events.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Monday, February 1, 2016 5:43 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

> either that or the “root certificate updates” aren’t applied to the DCs.

I'd guess this.

SChannel tracing might be helpful otherwise - 
https://support.microsoft.com/en-us/kb/260729

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Damien Solodow
Sent: Monday, February 1, 2016 3:20 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

Doubtful if they’re using GoDaddy. ;)

I’d wager you have a difference in GPO around certificates for your DCs; either 
that or the “root certificate updates” aren’t applied to the DCs.

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, February 1, 2016 4:16 PM
To: 'ntsys...@lists.myitforum.com' 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: [NTSysADM] DC's and certs.

So I am working with a vendor on a new product they are developing.. It 
installs a single exe as a service and runs as system.  That service makes an 
SSL connection to their servers. That is all I can say about the software at 
this point. Desktops and member servers make the SSL call no problem. But DC’s 
fail and reject the cert on the vendor’s server. It is a GoDaddy G2 cert.  I 
dl’d the chain from GoDaddy, installed it into the local machine store on the 
DC’s and all is well.

The GoDaddy chain is not installed on the member servers.

My question is why the difference between a DC and a Member server?  Do DC’s 
only talk to themselves for cert verification?

PS: You folks are going to be very jelly when you find out what it is and that 
I have it.  ☺

Reply via email to