FAS - Logon error, one of the CAs is not trusted

book

Article ID: CTX575105

calendar_today

Updated On:

Description

FAS logon fails with an error "The username or password is incorrect". Events are logged on CA/FAS/VDA/Domain Controllers that one of the CAs is not trusted, usually after a CA Certificate is changed/renewed.

Resolution

Check if the new CA Certs are present in the Trusted Stores of CAs, FAS Servers, VDAs and Domain Controllers.
- This should happen automatically in an AD environment, but if it doesn't we have to add the Certs manually. This can be done in different ways; Domain Admin permissions are required to publish the Certificates in AD.

Using Certutil commands

certutil -dspublish -f filename RootCA
certutil -dspublish -f filename SubCA

Where filename is the Certificate saved in .cer format (eg: "c:\temp\RootCA.cer")

Using ADSIEdit

Browse to this location and add the Certificates manually to the respective Containers:

CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local

If the new CA Certs are already present in the Trusted and Intermediate CA Stores, usually they are, and we still get the error that a CA is not trusted, add the Certs to the NTAuth Stores as well. It can be done in the same way as shown above. The certutil command would be:

certutil -dspublish -f filename NTAuthCA

Ref: Import third-party certification authorities (CAs) into Enterprise NTAuth store - Windows Server | Microsoft Learn

Problem Cause

New CA Cert issued, chain validation can fail on the CAs, VDAs and DCs

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"