Compuit1
asked on
The Microsoft Firewall service terminated with service-specific error 2148081668 (0x80092004)
SBS 2003 with ISA 2004. This morning working fine on the network Accounting applications, Network Drive, intranet and internet all OK. Then I noticed Outlook client having trouble connecting to Exchange attempted to RDP to SBS 2003 server and that failed.
I determined the windows firewall will not start and appears to complain about certificates. ISA 2004 services OK and Internet Information services.
Went into the Certificates Local msc and confirmed all used certs valid and OK there too. In my effect I removed the certificates and recreated them as Microsoft article suggested. This however has made no change to my dilemma.
Help greatly appreciated.
Rgds
Michael
I determined the windows firewall will not start and appears to complain about certificates. ISA 2004 services OK and Internet Information services.
Went into the Certificates Local msc and confirmed all used certs valid and OK there too. In my effect I removed the certificates and recreated them as Microsoft article suggested. This however has made no change to my dilemma.
Help greatly appreciated.
Rgds
Michael
ASKER
Shucks - Here is another clue from the application log. This one may be the root cause which Microsoft pointed to?
Some certificates cannot be initialized (error code -2146885628). The Web Proxy filter could not initialize. Check that all certificates used by the Web Proxy filter are valid.
How do I confirm what / Which certificate is at fault?
MH
Some certificates cannot be initialized (error code -2146885628). The Web Proxy filter could not initialize. Check that all certificates used by the Web Proxy filter are valid.
How do I confirm what / Which certificate is at fault?
MH
ASKER
Essentially I carried out the approach in this article: http://support.microsoft.com/kb/940463
and this one: http://support.microsoft.com/kb/888926.
MH
and this one: http://support.microsoft.com/kb/888926.
MH
Have you scanned for Viruses or Malware?
ASKER
Using NOD32 and up to date - Will scan now for up to date report.
MH
MH
Try a scan with Malwarebytes too.
ASKER
Yes part of the plan - However I would be supprised if it is something like a virus on this system..... But I will cover this off :-)
MH
MH
ASKER
Just reporting Server System all clean - No bugs or issues.
MH
MH
ASKER
Have I got this question in the right place?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also check if the certificate authority is trusted.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Southmod for placing this question correctly and the comments. In my desparation I backed up ISA2004 and noticed there were some old backups of ISA that I know were operational. So I restored two of those configurations and tested after restarts etc. The fault still occured with the Firewall service getting to about halfway through its startup then failing. I attempted the repair in SBS2003 server managment console - This failed as well. Next I proceeded to uninstalled ISA2004 restarted system and install ISA2004 SP1 fresh from CD. Did the wizard then applied ISA2004 SP3. Wonderful I now have the firewall service back. I noticed the reinstall seemed to ramdomly choose a local web server 192.168.45.10 in stead of internal NIC 192.168.45.1. I fixed this in the Management server Chang IP tool. Once all set there were a few glitches. no internet, Outlook not connecting to Exchange but the 3 local intranet website were OK.
At this point I backed up config and was hoping a restore of orginal ISA2004 configuration policy rules will put everything straight. NO it failed with the same error. Quickly I reverted successfully back to previous fresh install backup of ISA2004 and continued configuration.
Status now from client systems. Internet, Outlook, access to shares and printing OK.
Stiil to fix: VPN, Intranet sites, and hosted websites to the Internet.
I propose to start with the certificates as I see the ISA wizard created and installed one called publishing.domainname
I will follow ColinRoyds advice for starters seeing my certificates are still valid seeing I recreating them yesterday.
At this point I backed up config and was hoping a restore of orginal ISA2004 configuration policy rules will put everything straight. NO it failed with the same error. Quickly I reverted successfully back to previous fresh install backup of ISA2004 and continued configuration.
Status now from client systems. Internet, Outlook, access to shares and printing OK.
Stiil to fix: VPN, Intranet sites, and hosted websites to the Internet.
I propose to start with the certificates as I see the ISA wizard created and installed one called publishing.domainname
I will follow ColinRoyds advice for starters seeing my certificates are still valid seeing I recreating them yesterday.
ASKER
OK I found the Intranet sites not responding to ping when typing in thei IP address on the local LAN. Checked DNS and resolved the Ping by adding / Binding their IP addresses to the local LAN NIC.
Then I noted that the sites still would not start in IIS websites. What I did was carry out the following:
After adding IP addresses to local LAN NIC on the SBS Server.
Using "httpcfg query iplisten" I found the Intranet websites were not listed so I added them in using the following instruction from the command line:
httpcfg set iplisten -i x.x.x.x (Where x.x.x.x is the IP of the Intranet website)
I entered each IP Iaddress in turn that I added to the local LAN NIC earlier.
At the command prompt, typed NET STOP HTTP /y, and then press ENTER.
Then reset IIS by typing iisreset /restart, and then press ENTER.
This left me with the Intranet websites back online and operational!
Still to fix VPN and external access to hosted websites.
MH
Then I noted that the sites still would not start in IIS websites. What I did was carry out the following:
After adding IP addresses to local LAN NIC on the SBS Server.
Using "httpcfg query iplisten" I found the Intranet websites were not listed so I added them in using the following instruction from the command line:
httpcfg set iplisten -i x.x.x.x (Where x.x.x.x is the IP of the Intranet website)
I entered each IP Iaddress in turn that I added to the local LAN NIC earlier.
At the command prompt, typed NET STOP HTTP /y, and then press ENTER.
Then reset IIS by typing iisreset /restart, and then press ENTER.
This left me with the Intranet websites back online and operational!
Still to fix VPN and external access to hosted websites.
MH
ASKER
Am I able to pull my old ISA2004 policy rules into my new ISA2004 installation one by one?
I believe it may help me get this headache over faster. I am still blown away as to how this whole thing could of occurred.
I believe it may help me get this headache over faster. I am still blown away as to how this whole thing could of occurred.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you bgoering - It appears that my only choice is to manually re-create the ISA config. Attempts at restoring previous backups (Which I know were in service and worked) of the ISA config break the firewall service. So to me this is looking more like a certificate thing as restores are probablely referencing the old certificates resulting in the death of the firewall service?
Great external Websites and outgoing VPN are now working!
Just incoming VPN to go now then I suspect all back to normal.
Thank you for your assistance so far.
Great external Websites and outgoing VPN are now working!
Just incoming VPN to go now then I suspect all back to normal.
Thank you for your assistance so far.
ASKER
This has been a horrible experience. OWA, OMA and VPN are finally operational - at last.
I suspect at the root of the whole issue was a certificate that broke and in the begining the approach to recreate and issue and replacement seemed to work on the surface indicating it is trusted and so forth. In hindsite I would like to of carried out the diags recommended above but had committed the Server to an uninstall of ISA2004 already. The rebuild was difficult for me but the payoff is a tidy ISA2004 setup with plenty of backups.
Will mention this as a possiblity as to why the server generated certificate may not have been successful. When submitting a Submit a Certificate Request or Renewal Request in http://servername/certsrv you must paste in the begining and end parts of certreq.txt and of courst the code fully as shown below.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDXzCCAsgCAQAwgYMxCzAJBg
MA0GA1UEBxMGSGF3ZXJhMRkwFw
VQQLEw5jb21wdS1pdC5sb2NhbD
ejCBnzANBgkqhkiG9w0BAQEFAA
P+QMA+Tu5L7kp8Lg6r2yUHHkHY
NBAENOVEGbxW4DMz2D/cl+LqDX
ef17sxjdT9t1k+8XZSsCAwEAAa
MC4yMHsGCisGAQQBgjcCAQ4xbT
CQ8ENzA1MA4GCCqGSIb3DQMCAg
CgYIKoZIhvcNAwcwEwYDVR0lBA
ge4wgesCAQEeWgBNAGkAYwByAG
AG4AZQBsACAAQwByAHkAcAB0AG
AGUAcgOBiQAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
MA0GCSqGSIb3DQEBBQUAA4GBAA
Y1pNaqVHehmKdUSOTdtsgeGYlt
eSIVAFSg4aSdM6Fr7WXyj5F7/m
rdTr
-----END NEW CERTIFICATE REQUEST-----
It seemed once I did this all came together??? Yours thought because the documentation I found stipulated the code only.
I thank you all for your input - Much appreciated!
Rgs
MH
I suspect at the root of the whole issue was a certificate that broke and in the begining the approach to recreate and issue and replacement seemed to work on the surface indicating it is trusted and so forth. In hindsite I would like to of carried out the diags recommended above but had committed the Server to an uninstall of ISA2004 already. The rebuild was difficult for me but the payoff is a tidy ISA2004 setup with plenty of backups.
Will mention this as a possiblity as to why the server generated certificate may not have been successful. When submitting a Submit a Certificate Request or Renewal Request in http://servername/certsrv you must paste in the begining and end parts of certreq.txt and of courst the code fully as shown below.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDXzCCAsgCAQAwgYMxCzAJBg
MA0GA1UEBxMGSGF3ZXJhMRkwFw
VQQLEw5jb21wdS1pdC5sb2NhbD
ejCBnzANBgkqhkiG9w0BAQEFAA
P+QMA+Tu5L7kp8Lg6r2yUHHkHY
NBAENOVEGbxW4DMz2D/cl+LqDX
ef17sxjdT9t1k+8XZSsCAwEAAa
MC4yMHsGCisGAQQBgjcCAQ4xbT
CQ8ENzA1MA4GCCqGSIb3DQMCAg
CgYIKoZIhvcNAwcwEwYDVR0lBA
ge4wgesCAQEeWgBNAGkAYwByAG
AG4AZQBsACAAQwByAHkAcAB0AG
AGUAcgOBiQAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
MA0GCSqGSIb3DQEBBQUAA4GBAA
Y1pNaqVHehmKdUSOTdtsgeGYlt
eSIVAFSg4aSdM6Fr7WXyj5F7/m
rdTr
-----END NEW CERTIFICATE REQUEST-----
It seemed once I did this all came together??? Yours thought because the documentation I found stipulated the code only.
I thank you all for your input - Much appreciated!
Rgs
MH
ASKER
Difficult to rate as I had committed past the point of testing the solutions and soldiered on to do a complete ISA2004 rebuild. Therein were some traps of is own which I worked through eg OMA virtual directory and the jolly certreq.txt. I think there is some vaule in my discovery however all in all a good result - Thank you.
ASKER
Cannot load an application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-
MH