Can Someone Help with Certificates? (Windows Server Essentials 2012 R2) - Dorkiphus.net
Navigation » Dorkiphus.net > Classifieds > Employment & Networking » Can Someone Help with Certificates? (Windows Server Essentials 2012 R2)

Employment & Networking Need a job? Looking to hire someone? Post it here.

Reply
 
Thread Tools Display Modes
  #1  
Old 03-16-2020, 01:41 PM
BlackTalon's Avatar
BlackTalon BlackTalon is offline
Make Dorki Great Again
 
Join Date: Dec 2002
Location: Alexandria, Virginia
Posts: 14,792
BlackTalon
Default Can Someone Help with Certificates? (Windows Server Essentials 2012 R2)

Not really an employee option per say, but I need help troubleshooting a certificate issue in Essentials 2012 R2. Since about 6 months ago I have not been able to get desktops with replaced/ cloned HDDs to work via Anywhere Access. Basically in the Devices part of the Dashboard they show up as "Offline". Computers that have been operation since before that time show up fine (i.e., "Online") and be access remotely.

I have run the Anywhere Access Repair Wizard and disconnected/ reconnected the desktops, but that has not helped. In one instance the desktop showed up as Online, and I was able to assign it to a User for remote access, but it reverted to "Offline" a short time later.

Going through the certificate manager on the Server I can see multiple instances of certificates getting revoked, but there is no reason indicated. Also, there are a lot of certificates on the server, including a handful that appear to be related to remote access, so I am not sure how to determine which particular certificate a desktop should be receiving (my desktop is one that can be access remotely; I looked in the certmgr and there are three certificates there that all *could* be the correct one; I do not know if they are all needed or if only one gets accessed/ used).

If anyone can help me resolve this, or point me to a person who may know, I would appreciate it. We are fine paying a consultant, I just can't find anyone. It is becoming critical due to employees wanting the option to work from home due to the virus.

EDIT: The HDDs were cloned (not all at the same time) from good HDDs taken from other workstations. The cloning was by a cloning machine, vs software, and Sysprep was not used (earlier clones were all done with software, so when I go the duplicator I was not familiar with Systprep).
__________________
David D.
'87 Targa

- 2021 quickly disappearing...

Last edited by BlackTalon; 03-16-2020 at 03:50 PM.
Reply With Quote
  #2  
Old 03-16-2020, 02:38 PM
KFJ's Avatar
KFJ KFJ is offline
Lemming
 
Join Date: Aug 2006
Location: Purcellville, VA
Posts: 1,289
KFJ has one HoF thread
Default

Not familar with Anywhere Access, but maybe a step in the right direction: You can compare the certificate that works on your desktop with the server to determine which is a working certificate. From certmgr on both machines, open the certificate, navigate to details, scroll the end for Thumbprint - that's a unique identifier for that certificate.
__________________
Kirk J.
78 911 SC euro spec
05 Audi S4
01 Audi A6 - gone...

Things are made of stuff -Bill Nye
Reply With Quote
  #3  
Old 03-16-2020, 03:51 PM
BlackTalon's Avatar
BlackTalon BlackTalon is offline
Make Dorki Great Again
 
Join Date: Dec 2002
Location: Alexandria, Virginia
Posts: 14,792
BlackTalon
Default

Quote:
Originally Posted by KFJ View Post
Not familar with Anywhere Access, but maybe a step in the right direction: You can compare the certificate that works on your desktop with the server to determine which is a working certificate. From certmgr on both machines, open the certificate, navigate to details, scroll the end for Thumbprint - that's a unique identifier for that certificate.
There are several certificates on my working (good) desktop that all appear to be for the same thing. I have not seen anywhere in certmgr where it indicates which one is the one actually being used (to me it looks like they are all 'equal').
__________________
David D.
'87 Targa

- 2021 quickly disappearing...
Reply With Quote
  #4  
Old 03-16-2020, 04:19 PM
tomfree tomfree is offline
 
Join Date: Feb 2007
Location: Gaithersburg, MD
Posts: 609
tomfree
Default

Instinct tells me there is something going on in the root certificate authority for the affected machines. As a troubleshooting method, perhaps do something as rudimentary as removing and re-adding the certificate authority for the certs in question on one of the unhappy machines?

I'm sure you know this...cloning HDDs causes its own pain in Windows. Can I assume some kind of SID walker was used after the clone to create a unique SID?
__________________
Tom Freeman
'21 Q5 PHEV (DD, dog hauler) | '22 GR Supra (OLOA) | '93 Mustang GT (Crapcan) | '16 BMW R1200RT (Cop bike)
Reply With Quote
  #5  
Old 03-16-2020, 05:05 PM
BlackTalon's Avatar
BlackTalon BlackTalon is offline
Make Dorki Great Again
 
Join Date: Dec 2002
Location: Alexandria, Virginia
Posts: 14,792
BlackTalon
Default

Tom, I wish I could say 'yes' to what you are sure I know. Previous HDD cloning had been done with Clonezilla and never had an issue, but going to an external 2-dock bay with cloning capabilities was much easier. The machines were all renamed, although they were done at varying times and I do not remember is any were initially logged onto the domain before renaming. Thanks to Ken H I did some reading on sysprep and SIDs earlier today (after my iniitial post) and there seemed to be a lot of info indicating the SID was internal-only and was not the one the Domain uses -- but I don't know if that is true for all facets of the connection (i.e., the machines show up fine in AD and have access to all shared folders, printers, etc.).

On a typical desktop there are 3-4 certificated issued by the server/ CA. Are you indicating I should delete those certificates? What is the process? Delete in certmgr, reboot the machine and log back on to the Domain? Or when rebooted will it come up no longer connected, and I will need to rerun the Connector? These are all desktops our engineers are suing so I need to be careful not to screw up a machine and take someone out of service tomorrow.

I appreciate your help!
__________________
David D.
'87 Targa

- 2021 quickly disappearing...
Reply With Quote
  #6  
Old 03-16-2020, 05:48 PM
joep's Avatar
joep joep is offline
 
Join Date: Jun 2008
Location: PW county Virginia
Posts: 2,549
joep
Default

The SIDs are internal to the clone. The Domain ID is created when a new system is added to the domain but that's in part based on the SID. So when a conflict happens when a duplicate is found. The more I think about this, the less I suspect the cloning process, but good luck. I don't think you're using AD, are you?

Essentials 2012 is just that. You might need some sort of add-on capability if Essentials allows for it.

gl hf
__________________
Ken
'03 - boxster - Joy Toy
-rolling convertible action
-de-ambered
-Boxster Brey-Krause Roll Bar
'05 - 955s Gold - My Other / On Road / Off Road
-coolant pipe by pass 08/11
-heart & short soul block replaced @50k 01/12
-cardan shafted & replaced @125k 09/16

Quote:
Originally Posted by BlackTalon View Post
I could feel my self-esteem rising, even while realizing how incorrect I was
Quote:
Originally Posted by Rick V View Post
I think I like the purple, it placates my lesbian side.
Reply With Quote
  #7  
Old 03-16-2020, 07:51 PM
BlackTalon's Avatar
BlackTalon BlackTalon is offline
Make Dorki Great Again
 
Join Date: Dec 2002
Location: Alexandria, Virginia
Posts: 14,792
BlackTalon
Default

AD is running on the Server. I can get more info from that than from the Essentials Dashboard.

Someone has provided me with some info on things to try in the MMC. One big thing was the certs I had been looking at were for the User, and not the Machine. Once I logged on to a workstation as administrator and got back into the MMC and got into the Local Machine lists I saw different certs. There is one there under Remote Access , but it indicates it must be in the Trusted certs subfolder to work; I tried cutting and pasting to that folder but it didn't work. I was going to try exporting and importing, but it said the key could not be exports which seemed like a deal killer. I'm going back to the office later tonight, and will delete that cert and try reconnecting the machine and see what happens when it generates a new one.

I also went through some steps to generate a new cert, but the procedure that someone sent me had some steps that did not seem possible (the options I was supposed to pick were not present).

Anyway, I feel like I am in the ballpark, but am missing a couple of small pieces of info.
__________________
David D.
'87 Targa

- 2021 quickly disappearing...
Reply With Quote
  #8  
Old 03-16-2020, 08:22 PM
cmartin's Avatar
cmartin cmartin is offline
 
Join Date: Sep 2003
Location: Pasadena, MD
Posts: 7,577
cmartin
Default

Did you use the certreq.exe tool?

this link also shows a few steps that might help. Not 100% what you are looking but seems to overlap.

https://www.altaro.com/hyper-v/view-...-certificates/
__________________
78 SC, the 'Red Car'
Reply With Quote
  #9  
Old 03-16-2020, 08:39 PM
BlackTalon's Avatar
BlackTalon BlackTalon is offline
Make Dorki Great Again
 
Join Date: Dec 2002
Location: Alexandria, Virginia
Posts: 14,792
BlackTalon
Default

Thanks. I'll see if that tool runs on a workstation, since I seem to be unable to locate a Certificate Authority snap-in on the desktop, which brought things to a halt for me earlier tonight.

Long and short of it is I believe there are local machine certificates that may need to be deleted, and new ones generates.

But unfortunately i do not fully know which ones
__________________
David D.
'87 Targa

- 2021 quickly disappearing...
Reply With Quote
  #10  
Old 03-17-2020, 05:01 PM
dnwong's Avatar
dnwong dnwong is offline
 
Join Date: Jun 2006
Location: Aldie, VA
Posts: 816
dnwong
Default

David, have you tried to uninstall the "Windows Server 2012 essentials connector" from the new workstation and reinstall?
__________________
Dudley
Aldie, VA
99 996 C4 Black/Black Areo
86 951 Graphite / Burgundy
2002 BMW 530i
2008 Volvo XC90
1995 Chev Astro (workhorse going-bald)
My Garage Build
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump