Guest K Posted December 14, 2007 Posted December 14, 2007 I have a 2k3 native domain with 2 DCs. DC 1 has all FSMO roles and DNS installed DC 2 also has DNS installed DC 2 did have the windows CA installed, although it was never used to issue certificates. When rationalising our services the CA was uninstalled and reinstalled on a member server on the domain. The last week or so users have been experiencing problems with their home drive mapping. Randomly, some users will get the map, where others will get it but will get access denied if they try to open it. If they log off, wait 2 mins and log back on they can access the home drive. Home drives are a share on DC 1. Whilst trawling through the event logs yesterday I noticed the following error: KCD - Evend ID 20 The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data. I did a bit of research and found a suggestion that this was due to uninstalling the CA from the server and that deleting any certificated relating to that CA would solve the issue. I deleted all certificates issued by DC 2 and restarted the KDC and have not received this error since. This morning I rebooted the entire server farm for a clean start and checked the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO Negotiator) several times (all relating in one way of another to DC 2). In the hope of trying top resolve this I reinstalled the CA onto DC2 (so I now have an enterprise root CA on both DC 2 (where there was originally one) and a member server (as I don't know if uninstalling this will cause further problems). I rebooted DC 2 and the member server the other CA is on and there were no errors logged on either. However, I am still experiencing some odd authentication problems. It has not been long enough in the day yet to see if users are having home drive problems so we will have to see about that, but one application which I use (installed on the same member server as the CA) is giving access denied messages when trying to run certain parts of it, which the developers tell me is possibly due to problems with the account the service runs under authenticating. Can ayone help with this? What is the best way of removing the CA from BOTH servers it is on now (the DC and the member server) - neither has issued any certificated (other than the ones it does automatically). And will this clear up my authentication issues or is this something else?
Guest K Posted December 15, 2007 Posted December 15, 2007 Re: Authentication and KDC Problems Anyone? >I have a 2k3 native domain with 2 DCs. > > DC 1 has all FSMO roles and DNS installed > DC 2 also has DNS installed > > DC 2 did have the windows CA installed, although it was never used to > issue certificates. When rationalising our services the CA was > uninstalled and reinstalled on a member server on the domain. > > The last week or so users have been experiencing problems with their home > drive mapping. Randomly, some users will get the map, where others will > get it but will get access denied if they try to open it. If they log > off, wait 2 mins and log back on they can access the home drive. Home > drives are a share on DC 1. > > Whilst trawling through the event logs yesterday I noticed the following > error: > > KCD - Evend ID 20 > > The currently selected KDC certificate was once valid, but now is invalid > and no suitable replacement was found. Smartcard logon may not function > correctly if this problem is not remedied. Have the system administrator > check on the state of the domain's public key infrastructure. The chain > status is in the error data. > > I did a bit of research and found a suggestion that this was due to > uninstalling the CA from the server and that deleting any certificated > relating to that CA would solve the issue. I deleted all certificates > issued by DC 2 and restarted the KDC and have not received this error > since. > > This morning I rebooted the entire server farm for a clean start and > checked the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO > Negotiator) several times (all relating in one way of another to DC 2). > > In the hope of trying top resolve this I reinstalled the CA onto DC2 (so I > now have an enterprise root CA on both DC 2 (where there was originally > one) and a member server (as I don't know if uninstalling this will cause > further problems). > > I rebooted DC 2 and the member server the other CA is on and there were no > errors logged on either. > > However, I am still experiencing some odd authentication problems. > > It has not been long enough in the day yet to see if users are having home > drive problems so we will have to see about that, but one application > which I use (installed on the same member server as the CA) is giving > access denied messages when trying to run certain parts of it, which the > developers tell me is possibly due to problems with the account the > service runs under authenticating. > > Can ayone help with this? > > What is the best way of removing the CA from BOTH servers it is on now > (the DC and the member server) - neither has issued any certificated > (other than the ones it does automatically). And will this clear up my > authentication issues or is this something else? >
Guest K Posted December 17, 2007 Posted December 17, 2007 Re: Authentication and KDC Problems Anyone at all? > Anyone? > >>I have a 2k3 native domain with 2 DCs. >> >> DC 1 has all FSMO roles and DNS installed >> DC 2 also has DNS installed >> >> DC 2 did have the windows CA installed, although it was never used to >> issue certificates. When rationalising our services the CA was >> uninstalled and reinstalled on a member server on the domain. >> >> The last week or so users have been experiencing problems with their home >> drive mapping. Randomly, some users will get the map, where others will >> get it but will get access denied if they try to open it. If they log >> off, wait 2 mins and log back on they can access the home drive. Home >> drives are a share on DC 1. >> >> Whilst trawling through the event logs yesterday I noticed the following >> error: >> >> KCD - Evend ID 20 >> >> The currently selected KDC certificate was once valid, but now is invalid >> and no suitable replacement was found. Smartcard logon may not function >> correctly if this problem is not remedied. Have the system administrator >> check on the state of the domain's public key infrastructure. The chain >> status is in the error data. >> >> I did a bit of research and found a suggestion that this was due to >> uninstalling the CA from the server and that deleting any certificated >> relating to that CA would solve the issue. I deleted all certificates >> issued by DC 2 and restarted the KDC and have not received this error >> since. >> >> This morning I rebooted the entire server farm for a clean start and >> checked the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO >> Negotiator) several times (all relating in one way of another to DC 2). >> >> In the hope of trying top resolve this I reinstalled the CA onto DC2 (so >> I now have an enterprise root CA on both DC 2 (where there was originally >> one) and a member server (as I don't know if uninstalling this will cause >> further problems). >> >> I rebooted DC 2 and the member server the other CA is on and there were >> no errors logged on either. >> >> However, I am still experiencing some odd authentication problems. >> >> It has not been long enough in the day yet to see if users are having >> home drive problems so we will have to see about that, but one >> application which I use (installed on the same member server as the CA) >> is giving access denied messages when trying to run certain parts of it, >> which the developers tell me is possibly due to problems with the account >> the service runs under authenticating. >> >> Can ayone help with this? >> >> What is the best way of removing the CA from BOTH servers it is on now >> (the DC and the member server) - neither has issued any certificated >> (other than the ones it does automatically). And will this clear up my >> authentication issues or is this something else? >> > >
Recommended Posts