The branch where I work is having a problem which I associate with the recent renewal of the 2008 primary domain controller's certificate. The first problem is that our internal wireless devices no longer accept the DC's certificate, & will only connect to the internal SSID (secured with WPA-Enterprise by Windows credentials) if we turn off client-side certificate validation/verification on each client. Now, though, when a Windows password expires, the new password is successfully accepted & the user can log in, but if the user logs out again or tries to use the Internet (through our proxy), the account is immediately locked-out & must be unlocked by the AD administrator.
I'm at a loss,