When attempting to connect to an RDS gateway from a machine that is not on the domain I receive the error "A revocation check could not be performed for the certificate". We're using an internal CA for the certificates in the RDS farm and the CRL lookup works fine for machines on the domain. When attempting to access http://servername/certenroll/certname.crl from the non-domain machine I can access it no worries. Note: The non-domain machine is running Win7 Embedded and the CA has been added to the Trusted Root Authority (Computer). When attempting a "certutil -urlfetch -verify certname.cer" on the certificate in question I receive the following: C:\Users\Administrator\Desktop>certutil -urlfetch -verify test.cer Issuer: CN=servername DC=domain DC=com DC=au Subject: E=administrator@domain.com.au CN=myserver.domain.com.au OU=<omitted> O=<omitted> L=<omitted> S=<omitted> C=<omitted> Cert Serial Number: 1b6680e6000100000489 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 20 Hours, 1 Minutes, 57 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 20 Hours, 1 Minutes, 57 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 12/15/2010 11:47 PM NotAfter: 12/15/2011 11:47 PM Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted> Serial: 1b6680e6000100000489 SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057 5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?cACertificate?base?objectClass=certificationAuthority ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Base CRL (0190)" Time: 0 [1.0] http://servername.domain.com.au/CertEnroll/servername.crl Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) [1.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?deltaRevocationList?base?objectClass=cRLDistributionPoint Failed "CDP" Time: 0 Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50) file://servername.domain.com.au/CertEnroll/servername.crl ---------------- Base CRL CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?deltaRevocationList?base?objectClass=cRLDistributionPoint ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 0190: Issuer: CN=servername, DC=domain, DC=com, DC=au 9b a4 6c 0d ce 27 fe fc a8 e1 6e 94 3e b5 3f c5 5f 06 ce 1c Application[0] = 1.3.6.1.5.5.7.3.1 Server AuthenticationCertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 3/15/2010 12:08 AM NotAfter: 12/12/2015 10:30 PM Subject: CN=servername, DC=domain, DC=com, DC=au Serial: 48e9cd0e5203d29947c6b6c9640e9bc0 Template: CA bd 03 7c e9 94 78 e2 e2 5b f0 5c f3 02 71 a1 00 78 bc 23 b7 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 5e 12 f5 da ff 73 e1 1d 6e 33 b0 0f b3 ab 9d 0d de 4d 7f 00 Full chain: a5 0c 5b 60 83 94 a9 4b 13 18 ce e1 ac c0 d1 1e 02 13 af 76 Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 12/15/2010 11:47 PM NotAfter: 12/15/2011 11:47 PM Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted> Serial: 1b6680e6000100000489 SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057 5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully. C:\Users\Administrator\Desktop> Ryan.

Does anyone have any suggestions?

Bump

seems to me that although you publish DELTA CRLs, you include just the LDAP path of the DELTAs in the issued BASE CRLs. If you look into the certificate, you will find the CRL Distribution Point locations that point to both LDAP and HTTP paths. That is correct and was actually verified. But when you download the BASE CRL from the HTTP path obtained from the certificate, you can look into the CRL and check, that the CRL contains only LDAP path to find DELTA CRLs. Go into the CA properties and on the Extensions tab select the CRL Distribution Point from the list. Click on the public HTTP path and bellow check, that the "Include in CRLs" is enabled. Then right click on the Revoked Certificates and click Publish. On the client, you can then check the CRL validation also with CERTUTIL -URL ondrej.

Ondrej, Thanks for that. I believe that will fix the issue also. The only problem is, when I check "Include in CRLs", all domain machines stop trusting the CA. I believe this is due to the following GPO setting: Te perform ceritificate-based authentication of users and computers, CAs must meet the following criteria - Registered in Active Directory only. When looking in the actual GPO itself, it appears there's no options configured and instead only an import option for a certificate. Should I just import the CAs certificate in to the GPO? Ryan.

Okay, so I worked out that they haven't stopped trusting the CA. It appears that the CA is using a different (obsolete) certificate for the certsrv site - should this be updated through IIS or is there somewhere in Certificate Manager? Also, when attempting to get the CRL from a non-domain machine I now receive the CRL error and "The certificate or associate chain is invalid (Code: 0x 10000)." This is what comes out when I verify the certificate with certutil: C:\Users\Fritz\Desktop>certutil -urlfetch -verify servername.cer Issuer: CN=servername DC=domain DC=com DC=au Subject: E=administrator@domain.com.au CN=myserver.domain.com.au OU=<omitted> O=<omitted> L=<omitted> S=<omitted> C=<omitted> Cert Serial Number: 1b6680e6000100000489 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000) CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040 Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 16/12/2010 1:47 PM NotAfter: 16/12/2011 1:47 PM Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted> Serial: 1b6680e6000100000489 SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057 5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?cACertificate?base?objectClass=certificationAuthority ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?certificateRevocationList?base?objectClass=cRLDistributionPoint OK "Base CRL (01ab)" Time: 4 [1.0] http://servername.domain.com.au/CertEnroll/servername.crl Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) [1.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?deltaRevocationList?base?objectClass=cRLDistributionPoint OK "Delta CRL (01ab)" Time: 4 [1.0.1] http://servername.domain.com.au/CertEnroll/servername+.crl Failed "CDP" Time: 0 Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50) file://servername.domain.com.au/CertEnroll/servername.crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Exclude leaf cert: da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 Full chain: 5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16 Missing Issuer: CN=servername, DC=domain, DC=com, DC=au Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 16/12/2010 1:47 PM NotAfter: 16/12/2011 1:47 PM Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted> Serial: 1b6680e6000100000489 SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057 5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16 A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486) ------------------------------------ Incomplete certificate chain Cannot find certificate: CN=servername, DC=domain, DC=com, DC=au ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully.