I had a consistency failure on the /var partition on my primary server last
week that I was able to fix. Long story or woe made short, I am now running
at 10.3.3 on my primary and ordering a new server.

The problem I have is an "Unable to log into the network because the login
credentials or the server certificate is incorrect" on all managed
workstations in the zone. I have been troubleshooting this since last
Thursday and have finally narrowed the problem down being related to the
following observations:


Unregistering and reregistering the workstation (after removing the
certificate from the workstation store) I see the certificate import popup
with the following information:
Serial Number: 4B30F6AF
Valid from:12/22/2009 10:41:19 AM
Valid to: 12/20/2019 10:41:19 AM

If I look at this same certificate in certmgr.msc right after import I see
the following:
Serial Number: 4b 30 f6 af
Valid from: Tuesday, December 22, 2009 11:41:19 AM
Valid to: Friday, December 20, 2019 11:41:19 AM

NOTE THE ONE HOUR TIMESTAMP DIFFERENCE!

Running "zac ci" on the registered the workstation yields
Serial Number: 0125C1905CD6
Not valid before: 12/22/2009 10:41:21 AM
Not valid after: 12/22/2019 10:41:21 AM

NOTE THE SERIAL NUMBER OF THE CERTIFICATE!

NOW!
Opening a browser and going to HTTPS:// <servername>:443 and viewing the
certificate properties I see the following:
Serial Number: 01 25 c1 90 5c d6
Valid from: Tuesday, December 22,2009 11:42:21 AM
Valid to: Sunday, December 22, 2019 11:42:21 AM


If I import this certificate and then view it in certmgr.msc the certificate
has the following properties:
Serial Number: 01 25 c1 90 5c d6
Valid from: Tuesday, December 22,2009 11:42:21 AM
Valid to: Sunday, December 22, 2019 11:42:21 AM


WHAT I HAVE DONE:
Both the server and workstation are using the same local time server.

I have exported the CA from the server, then re-imported an older archived
copy.

I have turned on debug logging on the workstation and server. I see NO
errors in the server logs.
On the workstation the CasaAuthToken.log displays the following

[15C-106C] [12:37:16] CASA_AuthToken -Rpc- Start
[15C-106C] [12:37:16] CASA_AuthToken -InternalRpc- Start
[15C-106C] [12:37:16] CASA_AuthToken -CopyMultiToWideAlloc- Start
[15C-106C] [12:37:16] CASA_AuthToken -CopyMultiToWideAlloc- End, retStatus =
00000000
[15C-106C] [12:37:16] CASA_AuthToken -InternalRpc- before WinHttpOpenRequest
[15C-106C] [12:37:16] CASA_AuthToken -InvalidCertsFromHostAllowed- Start
[15C-106C] [12:37:16] CASA_AuthToken -InvalidCertsFromHostAllowed- End,
retStatus = 0
[15C-106C] [12:37:16] CASA_AuthToken -SecureFailureStatusCallback- Start
[15C-106C] [12:37:16] CASA_AuthToken -SecureFailureStatusCallback- End
[15C-106C] [12:37:16] CASA_AuthToken -InternalRpc- Secure connection
failure, flags = 8
[15C-106C] [12:37:16] CASA_AuthToken -CopyWideToMultiAlloc- Start
[15C-106C] [12:37:16] CASA_AuthToken -CopyWideToMultiAlloc- End, retStatus =
00000000
[15C-106C] [12:37:16] CASA_AuthToken -CopyWideToMultiAlloc- Start
[15C-106C] [12:37:16] CASA_AuthToken -CopyWideToMultiAlloc- End, retStatus =
00000000
[15C-106C] [12:37:16] CASA_AuthToken -UserApprovedCert- Start
[15C-106C] [12:37:16] CASA_AuthToken -UserApprovedCert- Invalid CA Invalid
DATE in Cert from Host = <servername.domain.edu>
[15C-106C] [12:37:16] CASA_AuthToken -InternalRpc- User did not approve
invalid certificate from <servername.domain.edu>
[15C-106C] [12:37:16] CASA_AuthToken -InternalRpc- End, retStatus = C7FF0023
[15C-106C] [12:37:16] CASA_AuthToken -Rpc- End, retStatus = C7FF0023
[15C-106C] [12:37:16] CASA_AuthToken -ObtainAuthTokenFromServer-
GetAuthPolicy Rpc failure, error = C7FF0023
[15C-106C] [12:37:16] CASA_AuthToken -CloseRpcSession- Start
[15C-106C] [12:37:16] CASA_AuthToken -CloseRpcSession- End
Any Ideas? or am I just plain old fashioned "messed up"?

I can still communicate to all the machines in the Zone so for right now I
am going to send out a reg hack turning off ZCM user authentication.

I have been planning on moving to ZCM 11 in the near future and since this
poor zone contains/archives/exhibits all the things that document my
learning curve with ZCM 10 I think I may simply start a new Zone with ZCM11.
Since, I can communicate with all the machines in the current zone, I should
simply be able to put together a script to unregister with the old zone and
register with the new zone.

If I have read the documentation correctly ZCM 10 agents can register With
ZCM 11 and the agent can upgrade with no problems.... At least i read the
constraints on agent upgrade to only apply to ZAM 10.... right?

I really am not concerned with the existing database, and can migrate my
bundles and images --- again --- if I read things correctly.

So, does anyone have any suggestions on repairing my current situation or
comments on my plans to move?

Thanks
Bob T