The plot thickens, does the below make sense to everyone else? It appears that GoDaddy certs are not ‘automatically’ added to Windows trusted root stores during the usual root updates. They are only added if you go to a site that use it? IE checks it against MS’s list and then adds it to the store at that point. I found a bunch of my member servers that did not have the godaddy certs installed.
Visited a<http://www.binarydefense.com> website that I knew used Godaddy with IE and bam the cert instantly showed up in the local computer cert store. Did I mention I really hate certs. From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, February 2, 2016 1:56 PM To: [email protected] Subject: [NTSysADM] RE: DC's and certs. Same WSUS group, but root certs don’t come via WSUS I don’t believe. They are direct now. From: [email protected] [mailto:[email protected]] On Behalf Of Damien Solodow Sent: Tuesday, February 2, 2016 1:51 PM To: [email protected] Subject: [NTSysADM] RE: DC's and certs. The DCs in a different group in WSUS or something similar? DAMIEN SOLODOW Senior Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, February 2, 2016 1:47 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: DC's and certs. It is lack of root cert updates for sure. I can see tem hitting the update site for MS for these in the web filter log. And the revocation site also. https://sls.update.microsoft.com http://crl.microsoft.com GPO’s are virtually identical but I rechecked them. Only diff is settings for auditing log on events. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Monday, February 1, 2016 5:43 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: DC's and certs. > either that or the “root certificate updates” aren’t applied to the DCs. I'd guess this. SChannel tracing might be helpful otherwise - https://support.microsoft.com/en-us/kb/260729 Thanks, Brian Desmond w – 312.625.1438 | c – 312.731.3132 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Damien Solodow Sent: Monday, February 1, 2016 3:20 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: DC's and certs. Doubtful if they’re using GoDaddy. ;) I’d wager you have a difference in GPO around certificates for your DCs; either that or the “root certificate updates” aren’t applied to the DCs. DAMIEN SOLODOW Senior Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Monday, February 1, 2016 4:16 PM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] DC's and certs. So I am working with a vendor on a new product they are developing.. It installs a single exe as a service and runs as system. That service makes an SSL connection to their servers. That is all I can say about the software at this point. Desktops and member servers make the SSL call no problem. But DC’s fail and reject the cert on the vendor’s server. It is a GoDaddy G2 cert. I dl’d the chain from GoDaddy, installed it into the local machine store on the DC’s and all is well. The GoDaddy chain is not installed on the member servers. My question is why the difference between a DC and a Member server? Do DC’s only talk to themselves for cert verification? PS: You folks are going to be very jelly when you find out what it is and that I have it. ☺
