Solved

Server 2008 R2 Terminal server rejecting ALL certificates as invalid

Posted on 2014-11-23
4
227 Views
Last Modified: 2014-12-14
I have a 2008r2 Terminal server that is categorically rejecting ANY certificate it encounters.  Certs that I know for certain are valid.  Everything I can find is related to specific applications, but this is happening across all browsers, and every application that uses SSL.  Malware scans come up clean.  I reset the security providers using IISCrypto (https://www.nartac.com/Products/IISCrypto/), mostly out of desperation.

I'm nearly ready to roll this system back, but I'm not certain of when the behavior started.

The eventviewer is full of Event 36882 SChannel errors that state:
"The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate."

Again, this is happening with every cert encountered by the system regardless of source or issuing CA.
0
Comment
Question by:Enphyniti
  • 2
  • 2
4 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40460948
First thing I'd check is to make sure the date and time is set correctly on the server.

Next step would be to re-synchronize the Trusted Root Certificates on your server as it sounds like something has happened to your Trusted Root CAs. Click on the Microsoft Fix it link on this page underneath For Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2: http://support.microsoft.com/kb/931125
0
 
LVL 16

Assisted Solution

by:Enphyniti
Enphyniti earned 0 total points
ID: 40461001
Time and date are good.  The Fixit didn't appear to work.

What I've done as a stopgap to get things working again was to export the Trusted Root CA store from another server and import it directly on the system in question.  That appears to have mitigated the issue for now, but I fear the underlying update capability is still broken and will cause me issues down the road.

The weird thing is that these systems are all spun up off of templates and configured via policy.  All patches are applied in groups, so my source server and the server having this issue *should* be identical.

Anyway, I'll leave this open for a while in case anyone has any idea what the underlying issue is, but the fire is out for now.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40461033
OK good, at least we know the issue was with your Trusted Root CA store. My next recommendation was going to be to clear out the current certificates in your Trusted Root CA store by exporting them first, then copying over certificates from a working machine.
The weird thing is that these systems are all spun up off of templates and configured via policy.  All patches are applied in groups, so my source server and the server having this issue *should* be identical.
Only thing I can think of is if a Windows Update did not install itself correctly. It's been known from time to time that an update can break one machine but not another.

Definitely keep an eye out on this server over the next few days in case there's an issue with the certificate update mechanism on your TS.
0
 
LVL 16

Author Closing Comment

by:Enphyniti
ID: 40498676
Well, it's been a few weeks and the steps taken above are still working.  I don't know if I'll have an issue with this system at a later date or not, but for now at least, it's easier to import certs from another system than it is to dig through thousands of updates to determine if one of them needs to be re-applied.

If it continues to be a problem, I will probably scrap the system and deploy a new one.  Thanks for your help.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now