We have a number of certificate authorities that we trust outside of our environment. The root certificates and intermediate CA certificates are propagated to all clients through the enterprise container (saved into the configuration container in AD -dspublish). Recently a small number of users have reported problems accessing web sites that require certificate based logon. When we look at root / issuing CA certificates as a administrator (MMC \ Certificates Snap-in \ Local Computer) the certificates show the expected path (Root Certificate \ Intermediate CA). When we look at the same certificates through IE as the user, the path looks completely different, and a lot more CAs are visible. If we delete the user profile completely, they get the right view of the certificates and they can again log on to web sites with their issued certificates.
A few questions:
Is there anyway to reset the users configuration so that they drop the certificates in the users profile and use the ones pushed by active directory?
Does anyone have a theory on how this might have happened so that we can prevent it from reoccurring?