How to fix?

Just started getting this as part of failures of shadow protect on all desktops saving continuous incrementals to a share on SBS 2011 standard server

An untrusted certificate authority was detected While processing the smartcard certificate used for authentication.

Any advice?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BeGentleWithMe-INeedHelpAuthor Commented:
Oh!  There's no smart card logins being done on network.  Just the typical user/password / domain login from these win 7 machines that are in the same office /Lan as server
BeGentleWithMe-INeedHelpAuthor Commented:
Here's the full text of so failure log:

Randazzo B-PC2 Backup report: 31-Jan-2016 15:30:00 service 100 service (build 59) started job by incremental trigger
31-Jan-2016 15:30:00 service 104 5.2.3.37285 92A8-439C yXhIgXhtputN/TYx5c4mhw== 1057-4E4B-5E3C-9DA0-5F23-001C-C06B-30F9
31-Jan-2016 15:30:00 service 509 Cannot get access to destination object
31-Jan-2016 15:30:00 service 101 Cannot execute job (An untrusted certificate authority was detected While processing the smartcard certificate used for authentication. Please contact your system administrator. 0x80090352(2148074322))
andreasSystem AdminCommented:
Could have many reasons.

1.st check time and DATE on all systems.
2. check trust chain of the certificate of the smart cards to see if all certificates are still trusted and not revoked/expired.
3. check if a operating system update was installed recently. Sometimes windows updates are removing root CA if they are broken/untrustworthy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

BeGentleWithMe-INeedHelpAuthor Commented:
the date / time is correct.

poking around places I've rarely been to on the server, I see a self signed cert that expired 1/31/16 - today,when the problem started.  

Somewhere on the web I saw that you should run the fix my network wizard. Did that, rebooted server and still getting that error.

Quite some time ago I got a message from Godaddy about a cert we have with them that should be rekeyed (from sha1 to sha2?) (if you got to remote.ourdomain.com the browser balks at the certificate).   I did the rekey and now the browser is happy with the cert.

But the desktop to server connection is using a different cert?  How to fix that message that'an untrusted certificate authority was detected'.

And by the way, is there a place you can point me to to learn about certs? intermediate, primary, self certs, my head hurts.
R. Andrew KoffronownerCommented:
If you're running self-signed, I would expect the typical response is going to be just buy a valid external cert and install it via the network / connectivity "add a trusted certificate" wizard.
I've always run SBS2011 servers on godaddy or rapidssl certs. it's pretty easy. and in my case worth the bit of money it costs. I know it's not really a direct answer to the question.   at the end of the day, my time is worth more than the Cert costs.
BeGentleWithMe-INeedHelpAuthor Commented:
time > $$   certainly!

So I have an eternal cert from godaddy that I just rekeyed / reinstalled.

I'm still getting that non trusted cert authority message when trying to access the server share from the desktop (using username / password credentials stored in shadow protect the username / password are NOT the user).  do I delete any local certs?  How do I stop having the server itself be the non-trusted cert authority? (I guess that's what the message is meaning?  The server itself is not trusted?)
R. Andrew KoffronownerCommented:
check your bindings in the IIS default web site.
there's usually 2, 127.0.0.1 and "*"
BeGentleWithMe-INeedHelpAuthor Commented:
I went into admin tools IIS manager , clicked on default web site on left then on right colum, clicked on edit site / bindings. Here's what it looked like.  8 entries not 2.

after doing that screen capture,

I wound up starting the admin tools / certificate authority.

in there, clicked on the server name on left.  then right click choose all tasks / renew CA authority.

under properties for the server, there's 2 certs. both are current, 1 was created today.

I really need to do this at night to go from a user PC to see if I broke something / fixed something.

>>>>  I'm just wandering around the different interfaces. Is there a way to learn what all this certificate stuff means / how it works / what I want to do?

do these things look right?

under the server, there's

revoked certs - blank
issued certs - 14 different ones. 11 have expired dates (can I delete them?)
Pending certs - blank
failed requests - 16, request dates 2012 to 2015.  Can I delete these?
certificate templates - 11 of these. I have no clue when these would be needed  / what I would do with them.
BeGentleWithMe-INeedHelpAuthor Commented:
BeGentleWithMe-INeedHelpAuthor Commented:
http://blogs.technet.com/b/askds/archive/2010/08/31/the-case-of-the-enormous-ca-database.aspx

http://blogs.technet.com/b/xdot509/archive/2013/05/10/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database.aspx

ok to delete failed & pending. can you do it through the UI or have to use the command line?  

certutil –deleterow <today’s date in mm/dd/yyyy format> request
BeGentleWithMe-INeedHelpAuthor Commented:
OK, I deleted failed, pending and expired from the command line (no option to do it in the GUI it seems.)

in this picture, can I delete cert 0 since cert 1 will expire later and seems to do the same thing as 0.

but we're still dealing with self signed certs here, right?do I need both certs?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.