+ Post New Thread
Results 1 to 7 of 7
Internet Related/Filtering/Firewall Thread, TMG form logins stopped working after certificate expiry in Technical; 2 days ago, we noticed we couldn't login to HTTPS addresses from outside to inside such as webmail or VLE. ...
  1. #1

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    TMG form logins stopped working after certificate expiry

    2 days ago, we noticed we couldn't login to HTTPS addresses from outside to inside such as webmail or VLE. Whenever we logged in, we got this:

    Capture.JPG

    We noticed a certificate had expired. It is a local certificate which appears on every workstation and server. It seems to be one that is issued by the domain controller. We removed this certificate off the domain controller and the TMG server, as well as critical servers like Exchange and SharePoint (VLE). There is another certificate already on these machines with a valid expiry and intended for "All Purposes".

    We have performed a gpupdate on the all servers but we still get the above error when logging into anything that passes through TMG. Any ideas what else it could be? Thanks.

    If we go to TMG Best Practise Analyser we see:

    Capture.JPG
    Last edited by nLinked; 18th September 2012 at 08:25 AM.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,081
    Thank Post
    853
    Thanked 2,677 Times in 2,271 Posts
    Blog Entries
    9
    Rep Power
    769
    Have you checked which cert is being used in the listener on the TMG and have you tried opening the internal site via the TMG itself, depending on how it is configured it may give you some clues.

  3. #3

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks, on the listener we have two addresses, one public and one internal. Both are using our wildcard certificate issued by a CA. Both have green ticks. I'm not sure if it there is also supposed to be some sort of internal certificate here?

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,081
    Thank Post
    853
    Thanked 2,677 Times in 2,271 Posts
    Blog Entries
    9
    Rep Power
    769
    Are you using HTTPS to HTTP tunnelling or HTTPS to HTTPS. If so your internal stuff may be needing to use the wildcard cert to and split DNS to bounce the traffic between the two.

  5. #5

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    When connecting from outside we are using a HTTPS address. I'm not sure about the tunnelling or how to check? But all servers have the wildcard cert installed too since before this error started happening. The only change that's happened so far is the expiry of a local cert which I believe was issued by the DC a long time ago to all workstations and servers (its some sort of internal, non-CA certificate). After deleting this, there was already another valid local one (also already installed on all machines) which really should have taken over. But we still get the error above.

    In Event Viewer though, I saw this today:
    "schannel The following fatal alert was received: 0"

    Googling a bit tells me it has lost the trust relationship to the DC and needs to be reset. The last post on this page has a command to reset the trust. Think this may be relevant and safe to continue with?

    Event ID: 36887 Source: Schannel, Error: The following fatal alert was received: 0.

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,081
    Thank Post
    853
    Thanked 2,677 Times in 2,271 Posts
    Blog Entries
    9
    Rep Power
    769
    I'd test it on a workstation first to make sure it does not break stuff but at worst you should have to rejoin them to the domain.

    You can tell if you are cracking them open because you are using the listener which opens up the tunnel to inspect it before deciding what to do with it then pass it down another channel either http or https to an internal server. Otherwise you'd just be passing https through as an access rule to a single server for it to handle. In that config there is no inspection so now way to split it out via url.
    Last edited by SYNACK; 18th September 2012 at 10:57 AM.

  7. #7

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for all the replies. We have identified a server which had AD Certificate Services role installed and was issuing out the expired cert to all stations. We'll be installing a new cert on this to solve this problem.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 5
    Last Post: 18th January 2012, 02:40 PM
  2. VNC Stopped working after install ARD
    By mbrunt in forum Mac
    Replies: 2
    Last Post: 16th September 2010, 03:31 PM
  3. XP Sreensaver stops working after first use.
    By MrLudwig in forum Windows
    Replies: 8
    Last Post: 12th June 2009, 09:44 PM
  4. RDP stops working after XP sp3
    By imiddleton25 in forum Wireless Networks
    Replies: 8
    Last Post: 26th August 2008, 10:22 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •