New installation of ZCM 10.3, patched up to 10.3.1 on Windows 2008.

Seemed to work for a day before Thanksgiving, but after coming back on Monday, no workstation (or ZCM) server able to log in with ZCM agent.

"Unable to log into the network because the login credentials or the server certificate is incorrect."

In troubleshooting, lots of changes have been made (including an inadvertent uninstall of zenworks on the server!). Reinstalled 10.3.0, patched with all Windows patches, (manually) patched up the 10.3.1 ZCM server. Agents are updated to 10.3.1.xxxx and seem up-to-date.

The LDAP backend goes to a NetWare 6.5 sp8 server, and that part seems fine.

Debug logging has been enabled. DNS (forward and reverse queries) working fine.

The issue seems to be certificate-related, between the ZCM agent and the ZCM server. (LDAP calls never make it to the NetWare server. DSTRACE shows no activity when trying to log into the ZCM agent).

The best clue I have is seen in the zmd-messages.log file (from the ZCM server). Everything looks good until it gets to "Calling Authtoken.ObtainAuthToken". I see it calling out the host (<servername>.<domainname>), and servicename (com.novell.zenworks.<realmname>), but the next line gives me:
"Authtoken.ObtainAuthToken returned a null or zero length token"

A few lines later I also see:
"MiCasa.DeleteCredential took exception: The error code is: -802"
(which may be unrelated).

I can find no explanation of the 'null or zero length token' message.

One thing I also cannot find that would be of use is some technical explanation of what is supposed to be happening during the authentication process, prior to an LDAP call going to the directory from the ZCM server.