Client Communication Issues when attempting to retire old ADCS Certificate Authority
Hi,
SCCM 2012 R2 running on 2008R2. Single site.
We've been migrating our environment to a new SHA2 Microsoft CA and we're seeing issues when attempting to retire our old SHA1 CA server.
We've had a fully functioning PKI integrated SCCM environment for some time. No issues. All our clients have client certificates deployed via group policy.
We've spun up a new CA and installed new SHA2 distribution point and webserver certificates on the SCCM server.
We have added the new Root CA certificate to the trusted list in the site properties (both are now listed)
We have confirmed that new machine builds are receiving SHA2 client computer certificates via group policy.
Everything runs happily with the two CA servers configured and running. We would like to retire the old CA server but when we shut it down we find that all older clients (with the SHA1 cert) stop communicating with the management point.
Clients with the newer SHA2 computer certs continue to function. We assumed that the old CA server didn't have to be running for the SHA1 certs to still function. Are we incorrect?
Anyone able to explain what's happening?
Cheers!
Hi Jason,
No, we don't have CRL checking enabled in the SCCM site settings. As I understand it that tells the clients to check the site server against the CRL?
We think the issue is due to IIS attempting to check the client certificates against the CRL on the old CA (which is currently turned off)
For now we've temporarily disabled CRL checking in IIS while we attempt to migrate the old CRL to the new CA. All our clients are now talking happily to the management point.
All good. Cheers.
Similar Messages
-
HT4907 Password Issue when attempting to enable Back to My Mac in iCloud Preferences - HELP?
Since upgrading to Mountain Lion, I have a problem enabling Back to My Mac. When I try and enable B2MM in the iCloud preferences window, I am asked to enter my Apple ID password. It says the password is incorrect, even though it IS 100% correct. I've even tried resetting my password (so that the password lives up to the latest security requirements for passwords, etc). So, it's definitely correct, and I'm able to login to my Apple account here (on this Apple laptop as well as on my iPad and iPhone)... it's not an issue when I log in anywhere else... I am only told my password is incorrect when attempting to enable Back to My Mac in the iCloud preferences pane.
Help?
Many thanks!Do these make installation of memeo superfluous? Would I need memeo for daily back up?
From what I gather, you couldn't pay me to use Memeo, nor actually a Seagate enclosure, nor many USB only drives, (USB is not bootable on PPC Macs).
I've used maybe a few dozen backup Apps on the Mac, and I'd personally judge only Apple's Time Machine worse than that one.
If you had it to do all over again, you'd get a case with Firewire, one with an Oxford chipset, not containing a Green Drive, not a Seagate Drive, not less than 7200 RPM drive, & a 32MB Cache, not with a One-Button touch feature, ( not a Bus powered drive like...
http://eshop.macsales.com/item/Newer%20Technology/MS3S7W20TB32/
http://eshop.macsales.com/item/Other%20World%20Computing/ME8QW7W20TB/
I searched hard for answers , not aware of this devoted community. What a wonderful discovery.
Great to hear & that you found us, tons of devoted, unselfish helpers here too!
So where are we now on the Drive?
Does it show up in Disk Utility? Can you repair it there? -
Memory issue when attempting to open a downloaded ...
When attempting to open a downloaded image, I get this message 'IMAGE VEWER: Memory full. Close some applications and try again'.
What could be the issue & how do I solve this?
ThanksI assume re-transferring the image didn't help?
Under normal circumstances, a 1.3 MB image can't be a problem, since the camera takes pictures around that size. But the phone doesn't have limitless memory, so the image viewer will have some limitations. I was able to duplicate your error just now, but only with an 8.4 MB image I found through Google Images. The resolution was 3880 x 2432 x 24 bit. If you view the image on a computer, maybe that innocent 1.3 MB file translates into something of similar size, or perhaps it uses an unusual bit depth? Given the size, that still seems far-fetched, but short of an image viewer bug, that's the only possibility that comes to mind.
If this is the case and you do need to keep the picture accessible, you'd want to load it into a Photoshop-like program and either crop it, add additional compression, or reduce the bit depth. Good luck! -
Bootcamp Issues when attempting to install Windows 7
Please excuse my ignorance.... new to Apple after using Windows for ever.
I am attempting to install Windows 7 on my new MacBook Pro 13" purchased 4 days ago. I follow the instructions from following tutorials on UTube however do not get the option to divide my OS into a mac portion and a windows portion.
I have got the original Windows 7 disc have also created an ISO version, and have formatted a USB to be MS-DOS Fat. Still no luck
On the tutorials, it states to open up Bootcamp, then divide the partitians for Windows / Mac, then load up your Windows 7 disc.
This does not happen on my bootcamp.
Im asked to create an ISO of Windows 7, which I have done
Then asked to download the latest Windows support software for Apple - which starts - but never ends
Then when attempting the third section, installing Windows 7 I get an error message stating please install the installation disc and wait a few seconds
I am using the Bootcamp that was included with my purchase of the MacBook Pro. Should I search for another one - although I appear to be up to date with applications.
I am doing this in order to use CorelDRAW via windows on my mac for my small business. Any help would be most appreciated, and please no smart comments as i am really struggling here and everything appears to be simple, but is not.
Thanks in Advance
TechSpaz73
Far from City Support from Applesame problem here!
No device drivers were found. Make Sure that the installation media contains the correct drivers, and then click ok. -
Issues when attempting to create a new 2012 R2 forest through powershell
Hello,
I've been writing a script to automate the installation of some new servers, however I'm experiencing an issue when I'm coming to create the forest, for some reason the $DomainName and $ADSecPwd variables are not being passed to the Install-ADDSForest
function. The $DomainName and $ADSecPwd variables are defined at the top of the script.
When viewing the variables right before execution I can see that they store the right values, however when executing the code PowerShell throws an exception saying that the DomainName parameter cannot be null. The same is true for the the SafeModePassword.
If I hard code the domainname and password then it works, but I don't want to do this, as I'm going to use this script n multiple domains.
Another issue I have is that the paths are not being created on the specified 'F:\...' drive, instead they are being created in the default location on the C: drive.
Below is a copy of the function I'm using. Anyone have any ideas why this isn't working as expected?
function Install_ADForest ($uri, $localcredentials, $DomainName, $ADSecPwd) {
Invoke-Command -ConnectionUri $uri -Credential $localCredentials -ScriptBlock {
Install-ADDSForest `
-DomainMode Win2012R2 `
-ForestMode Win2012R2 `
-DatabasePath "F:\Windows\NTDS" `
-SysvolPath "F:\Windows\SYSVOL" `
-LogPath "F:\Windows\Logs" `
-NoRebootOnCompletion:$true `
-DomainName $DomainName `
-SafeModeAdministratorPassword $ADSecPwd
MarcusHi Marcus,
that is because the Invoke-Command is executed on a remote system that does not know the variables in the function. You need to pass them into the scriptblock as arguments like this:
function Install_ADForest ($uri, $localcredentials, $DomainName, $ADSecPwd)
Invoke-Command -ConnectionUri $uri -Credential $localCredentials -ArgumentList @($DomainName, $ADSecPwd) -ScriptBlock {
Param (
$DomainName,
$ADSecPwd
Install-ADDSForest `
-DomainMode Win2012R2 `
-ForestMode Win2012R2 `
-DatabasePath "F:\Windows\NTDS" `
-SysvolPath "F:\Windows\SYSVOL" `
-LogPath "F:\Windows\Logs" `
-NoRebootOnCompletion:$true `
-DomainName $DomainName `
-SafeModeAdministratorPassword $ADSecPwd
Cheers,
Fred
There's no place like 127.0.0.1 -
Wireless Client Authentication issues when roaming Access Points (Local)
I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
From Cisco ISE
Event
5400 Authentication failed
Failure Reason
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Resolution
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause
While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
I also had this from Splunk for the same client:
Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
ThanksFurther detail From ISE for the failure:
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11514
Unexpectedly received empty TLS message; treating as a rejection by the client
12512
Treat the unexpected TLS acknowledge message as a rejection from the client
11504
Prepared EAP-Failure
11003
Returned RADIUS Access-Reject -
How to resolve password issue when attempting file sharing?
I have an Imac with os9.2.2 and a ClamShell ibook with os8.6. Until recently I have been able to file share, using an ethernet cable, without using a password.
When I go into Chooser on either machine and click on file server, eg. "Imac", I get a message to effect that the password is not recognized. I have tried to create a "new" password, but I cannot provide an "old" password.
How do I get around this or create a new password and move on?
Any help would be appreciated.
Imac Mac OS 9.2.xGo to the Users and Groups tab in the FileSharing
control panel on machine number one. There you (as
the 'owner') will name the permitted User(s)—whatever
name you want to use— and you'll give him/her a
password—whatever you like or nothing at all.
Do the same on machine number two.
Since you own both machines, you can erase any
previous users with defective passwords. Or just
change their passwords.
If the Owner of each machine is the very same name on
each and if you haven't established a password for
the Owner(yourself), then you should be able to log
in as the Owner w/o a password. Presumably this was
what you had. Did you change the owner's name on
either machine?
If you're not worried about security, letting Guests
have access could also be password-free.
Ed,
Thank you for your help; file sharing is now operating between those machines.
I have now added another computer(OSX Tiger) to the network.
I am having similar problems getting file sharing to work. The new machine is owned by my wife. I added a name for her computer in the Users and Groups on the 9.2 machine. Her machine seems to recognize the old machine. But when I attempt to connect from either machine I get the "cannot connect" message.
Apple Help for the new machine suggests that a connection can only be done from the 9.2 machine.
Any suggestions? Perhaps this is not fair to add another question. Let me know if you would prefer that I post a new question.
Thanks again.
Bill
Imac Mac OS 9.2.x
Imac Mac OS 9.2.x
Imac Mac OS 9.2.x
Imac Mac OS 9.2.x -
STMS transport issue when attempting to release in SE10
Hi guys,
I have set up a new system, with DEV as the controller, and the shared transport being on the DEV box.
The HR people have tried to use the system for creating transports from DEV > QA with the following 2 issues :
Issue 1:
When a table entry is created, and saved, there is usually a "request for transport" window that pops up. This does not appear.
However, we are able to force the transport, which leads us to the second problem.
Issue 2:
When a new table entry is created and included in the request, it says the entries are included in the task, but when referencing the transport in SE10, the relevant entry cannot be seen under the specified task.
I.e. In SE10 there is the transport number, but there is no 'plus' underneath it for me to release.
Could anybody give me some input?
Thanks.
BradHello Brad,
A few clarifications.
First could you please confirm that the the client settings are set up so that changes are automaticaly recorded?
If not goto transaction SCC4 and double click the customizing client.
In
Changes and transports for client specific objects
set the option to : automatic recording of changes
for your second issue where your HR guys were trying to cerate a manual request, ask them to create the request first in SE01. Then got to SE10. (The user ID should be of the person who created the request) Click on display.
Select the request(which was created) and use the menu option REQUEST>OBJECT LIST>INCLUDE OBJECTS.
This way the objects can be manually enetered into a request.
Regards,
Prashant -
SCCM 2012 Client Communication Issue with SCCM 2007
My Clients was installed SCCM 2007 client version but somehow those clients reporting to SCCM 2012 Server
Note : My SCCM 2007 Server still active mode . and the SCCM 2007 client IP boundaries was not added into SCCM 2012 server
But still communicating to SCCM 2012 , what is the root cause ?
Best Regard's KrishnaEither, during the client installation the client was manually assigned to the ConfigMgr 2012 site (by specifying the site code), or during the client installation the client was auto assigned to the ConfigMgr 2012 site (that can only happen when there
is an overlap in the boundaries and that doesn't have to be the same type of boundary).
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
Client access issues when mailboxes are mounted on a specific mailbox server
One of our 3 mailbox servers gives us an error when mailbox databases are mounted on it.
All web services are not functioning properly, there is an event log error for each web service web.config file saying file not found, If I open each web.config file and look at the line in question they all point to:
<assemblies>
<add assembly="Microsoft.Exchange.Security, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</assemblies>
Does anyone know what this is pointing at or what my server is missing?
It is Exchange 2013 Sp1 RU7 as are my other 2 mbx servers which work fine...
all pre-req's are installed as I double checked and no difference between the 3 mbx servers that I can see...
***Don't forget to mark helpful or answer***IIS error
=== Pre-bind state information ===<o:p></o:p>
LOG: DisplayName = Microsoft.Exchange.Security, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35<o:p></o:p>
(Fully-specified)<o:p></o:p>
LOG: Appbase = file:///C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/Autodiscover/<o:p></o:p>
LOG: Initial PrivatePath = C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Autodiscover\bin<o:p></o:p>
Calling assembly : (Unknown).<o:p></o:p>
===<o:p></o:p>
LOG: This bind starts in default load context.<o:p></o:p>
LOG: Using application configuration file: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Autodiscover\web.config<o:p></o:p>
LOG: Using host configuration file: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.config<o:p></o:p>
LOG: Using machine configuration file from C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config.<o:p></o:p>
LOG: Post-policy reference: Microsoft.Exchange.Security, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/autodiscover/b455e468/cbaac37d/Microsoft.Exchange.Security.DLL.<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/autodiscover/b455e468/cbaac37d/Microsoft.Exchange.Security/Microsoft.Exchange.Security.DLL.<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/Autodiscover/bin/Microsoft.Exchange.Security.DLL.<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/Autodiscover/bin/Microsoft.Exchange.Security/Microsoft.Exchange.Security.DLL.<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/autodiscover/b455e468/cbaac37d/Microsoft.Exchange.Security.EXE.<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/autodiscover/b455e468/cbaac37d/Microsoft.Exchange.Security/Microsoft.Exchange.Security.EXE.<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/Autodiscover/bin/Microsoft.Exchange.Security.EXE.<o:p></o:p>
LOG: Attempting download of new URL file:///C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/Autodiscover/bin/Microsoft.Exchange.Security/Microsoft.Exchange.Security.EXE.<o:p></o:p>
***Don't forget to mark helpful or answer*** -
HT4790 Disk space seems to be an issue when attempting to use Firevault 2.0
This error occurs when selecting to Turn off Legacy FireVault.
Temporarily copy all or most of the files in your home folder to another volume, such as an external drive. Delete the original (that includes emptying the Trash.) Log out and log back in. You should then be able to deactivate legacy FileVault. Move the files back where they were.
-
Mac Book Pro version (10.6.i) Snow Leopard.
I am an inexperience user and recently acquired Final Cut Pro to supplement my Imove application.
My question is - How can I instruct F C Pro to automatically convert 4:9 aspect material (old cine and standard 8 recordings) to 16:9 aspect.
At the moment I am adjusting each clip manually to fit 16:9, not a very good way to proceed! I have no problem with Imovie in this respect and wonder if
F C Pro offers the same facillity? Can not find any clues either from Apple store or elsewhere.You mean 14:9, right?? 8mm film frame aspect ratio is 1.58. I find it hard to believe that your telecined video has the same aspect as the original film unless it has been explicitly trimmed to those dimensions. If that's the case, it's pillarboxed in the 16:9 format or letterboxed in the 4:3 format.
You could try to select all your clips and in the Video Inspector > Spatial Conform, select Fill. This will cause your clips to expand to fill the 16:9 "space". This also means that portions of the edges will "overflow" the boundaries of the modern frame (most likely the top and bottom edges.) It shouldn't be that much and if you're telecined film is letterboxed in 4:3, it will be a lot less so afterwards!
You can also select all your clips, assuming they are all the same dimensions, and adjust the (Video > Transform > ) Scale in "one throw" (if you turn down the disclosure triangle you can adjust width and height independently—I am assuming that since you want it to fit, you don't mind minor stretching.) -
Error -50 when attempting to delete a file
I am using Time Machinehave to back up to a 1Tb drive connected via USB to to my router, ... when attempting to delete old backups I get the error code -50. Cant find a reference to it, so can anyone help??
Perhaps try the "Error -50," "-5000," "8003," "8008," or "-42023" section in the Specific Conditions and Alert Messages: (Mac OS X / Windows) section of the following document:
iTunes: Advanced iTunes Store troubleshooting -
Performance Issues when editing large PDFs
We are using Adobe 9 and X Professional and are experiencing performance issues when attempting to edit large PDF files. (Windows 7 OS). When editing PDFs that are 200+ pages, we are seeing pregnated pauses (that feel like lockups), slow open times and slow to print issues.
Are there any tips or tricks with regard to working with these large documents that would improve performance?You said "edit." If you are talking about actual editing, that should be done in the original and a new PDF created. Acrobat is not a very good editing tool and should only be used for minor, critical edits.
If you are talking about simply using the PDF, a lot depends on the structure of the PDF. If it is full of graphics, it will be slow. You can improve this performance by using the PDF Optimize to reduce graphic resolution and such. You may very likely have a bloated PDF that is causing the problem and optimizing the structure should help.
Be sure to work on a copy. -
Stuck at 100% CPU Utilization when attempting to browse
Though I don't think this is specific to Policies per-se, I'm able to reproduce this issue when attempting to create an iPrint Policy Bundle.
In the wizard for creating an iPrint Policy bundle, when I browse to select the iPrint printer, I get an authentication dialog for browsing the tree, and at the next screen, when I select the blue down-arrow to navigate down my tree to find the iPrint printer, the CPU goes to 100% (ZENServer.exe process), and the only remedy is to reset the server! I'm unable to even bring up task manager to kill the ZENServer.exe process.
Any suggestions?Originally Posted by bryroller
Could you be experiencing the same issue I had and resolved from a tip over in this thread:
https://forums.novell.com/novell-pro...ml#post2296803
Turns out that was a temporary fix - the real fix was following the info referenced in TID 7005382, particularly reserving enough RAM for the VM and adding one vCPU (for a total of two).
Maybe you are looking for
-
Creative Cloud on multiple computers
Can I install CC on both my laptop and desktop computer with one subscription?
-
Hi everybody! I'm using Netweaver 7.0 and WAD 7.0 In RSRT1 i can launch a query and choose to display it as HTML, and then when the query is diplayed i hit F8 (Browser) so it showed to me as a web page. So, the question is, if it is possible to save
-
How do I create an inventory report?
I want to make a report that tells me the inventory levels of each product in my store. How can I do this?
-
I am considering a Samsung PN50B650 as an external monitor with my new i7 iMac. Are there any issues with such a setup? I am assuming I will be using the mini display port out to the external monitor? Any thoughts?
-
Need to send data across network, what is the dataStructure for my data?
using JXTA, i want to send file or messages among the peers. the data should contain the ACK