Hi,
We have a 2008 R2 enterprise issuing CA, we recently replaced the issuing CA's certificate. The root certificate is trusted by all domain members as the cert is distributed by GPO.
Suddenly, I'm seeing this hit my DC logs:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
And clients are complaining of "schannel" errors in the system log. After a bit of Googling, I came across the following thread
http://www.tipsandscripts.net/2014/09/fix-for-nps-radius-ca-certificate-not.html
The NTAuth store only had my old CA cert, which I've left in place. I added the new CA certificate using pkiview, but my clients still fail to connect (same errors).
Using the manual command "certutil -enterprise -addstore NTAuth CA-CertFile.cer" worked a treat :-)
This populated the registry with an additional certificate value HKEY_LOCAL_MACHINESOFTWAREMicrosoftEnterpriseCertificatesNTAuthCertificates
My question is why is this necessary, if I use pkiview to add a certificate to the NTAuth store shouldn't that replicate to my DCs? In addition, I've only ran the command on 1 DC, performed a repadmin /syncall /e and the second DC still hasn't seen this key - why do I have to run this command on all DCs if the cert is stored in an AD container?
Thanks