I'm not quite sure if this is neccessarily the best place to ask for a solution to the actual issue we're having, but as we already have a workaround, I'm more looking for a generic overview of what happens during the domain join process in regards to our issue. If you can provide me with a shortcut solution to the problem, I won't complain, but my main goal is to understand what's going on.
Now for my question:
Basically, some clients are not trusting a certificate that they should. We have a workaround but I'd like to understand why it works, and if there's a better way to fix it. That is, if we remove one of the affected clients from the domain, reset the account, and rejoin, the problem is resolved.
What I'm wondering is, what is exactly is happening during the domain join process that changes certificate trust? How is it possible that some domain member computers trust a cert issued by our CA without any additional special configuration, while others do not trust that cert. Could the availability of the CA during the join process have affected this? (i.e., if the CA was down for maintenance when the computer was joined to the domain, would it alter whatever is normally done to make it trust certs issued by that server?)
For those of you who would like more context, here's what's going on:
We have an in-house web app that was recently updated and moved to a new server, and we're having a few issues with certificate trust. Shortly before the new server was built, we migrated to AD for our DS, and we are running a single 2008 domain. The new server is a domain member, and the certificate used by the application server was issued by an internal CA, which is currently still accessible. The old cert was self-signed, and installed manually on all of our OS images, and is therefore trusted by all of our PCs. I should also add that all of our desktops in this problem are currently members of the same domain as the server and CA.
The problem we're running into is that when removing the old version off the app (which points to the old server), and installing the new versions, some of the PCs are complaining that the new server certificate is not trusted. We can still connect, but the app is written such that it expects the PC to trust the server, and therefore fails to install properly. So far, this seems limited to *some* of our Windows XP client machines. Most XP machines, and, so far, all of our Win7 machines, have no issues.