Certificate revocation check fails for non-domain guest in spite of accessible CRL

windows-server-2012 certificate-authority ad-certificate-services crl
9,752

After troubleshooting this with Microsoft support, we noticed that the delta CRL was not accessible to the client because IIS's default configuration does not support filenames with the + character and delta CRL's end with +. After enabling double escaping in IIS, the non-domain-joined client was able to confirm that the certificate had not been revoked.

Share:
9,752

Related videos on Youtube

0xFE
Author by

0xFE

Updated on September 18, 2022

Comments

  • 0xFE
    0xFE almost 2 years

    When we try to use certificates on computers that are not part of the domain, Windows complains that

    The revocation function was unable to check revocation because the revocation server was offline.

    However, if I manually open the certificate and check the CRL Distribution Point property, I see an ldap:/// URL and an http:// URL that points to externally-accessible IIS site that hosts the CRLs. Of course, the non-domain-joined client cannot access the ldap:/// URL, but it can download the CRL from the http:// link (at least in a browser).

    I enabled CAPI logging and I see the event that corresponds to this failed revocation check. The RevocationInfo section is:

    • RevocationInfo

      [ freshnessTime] PT11H27M4S

      • RevocationResult The revocation function was unable to check revocation because the revocation server was offline.
        [ value] 80092013
      • CertificateRevocationList
        [ location] UrlCache
        [ url] http://the correct URL
        [fileRef] 6E463C2583E17C63EF9EAC4EFBF2AEAFA04794EB.crl
        [issuerName] the name of the CA

    Furthermore, I can see the HTTP request to the correct URL and the server's response (HTTP 304 Not Modified) with Microsoft Network Monitor.

    I ran certutil -verify -urlfetch, and it seems to show the same thing: the computer recognizes both URLs, tries both, and even though the http:// link succeeds, returns the same error.

    Is there a way to have non-domain-joined clients skip the ldap:/// link and only check the http:// one?

    Edit:
    The ldap:/// URL is 

    ldap:///CN=<name of CA>,CN=<name of server that is running the CA>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>?certificateRevocationList?base?objectClass=cRLDistributionPoint

    The non-domain-joined clients may be on the domain network or on an external network. The http:// CDP is accessible from the public internet.

    • Ryan Ries
      Ryan Ries almost 10 years
      Very good question that I myself have run into and do not know the answer to. I think it might be a bug. Has not been urgent enough for me to open a support case with MS about it though.
    • Ryan Ries
      Ryan Ries almost 10 years
      Your only workaround may be re-issuing the certs with only the HTTP CDP on them.
    • cornelinux
      cornelinux almost 10 years
      I am a bit confused. I think that an PKI enabled application should check all mentioned CDPs and use the one, it can find. So I would guess that his is a mistake of the client. Which application is using the certificates? Other possibility might be: What does the ldap-URL look like and where are the non-domain-joined client located. Maybe you could setup a fake ldap-system, that provides the CRL.
    • 0xFE
      0xFE almost 10 years
      @cornelinux The actual client is a WCF program, but certutil, the built-in program is exhibiting the same behavior. The WCF client does not explicitly check for CDPs or anything, but the check happens automatically.
    • cornelinux
      cornelinux almost 10 years
      Looking at this (social.technet.microsoft.com/Forums/windowsserver/en-US/…) and the third answer by Brian (who probably is Brian Komar), he states, that you should only use HTTP in the CDP (no File, no LDAP).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I get SBS2011 to issue certificates?
Domain Controller promotion and certificate autoenrollment
Microsoft Standalone CA - Set expiration date of an individual request
Group security permissions for certificate template not working
Cross Forest Certificate Authority
ERR_CERT_COMMON_NAME_INVALID with internal AD CA wildcard
How to publish a CRL for an internal Windows certification authority?
Create and use intermediate certificate authority on Windows Server 2012?
Does a domain computer trust certs from domain CA
Cannot issue Computer cert to standalone computer from my ECA