Hi! I have configured a 2008 R2 PPTP/SSTP VPN server. PPTP connections are OK, SSTP connections are Ok if I disable the CRL check on my Windows 7 client registry. In the certificate issued to the VPN Server is listed the external URL for CRL check (HTTP). From a web browser, you can download the files without any problem. The CRL is available from a web server, not the CA itself. I published the CA certenroll folder through a virtual directory on the published web server (IIS7) nammed CERT : http://mail-hdg.com/CRL/w2k3-caroot-hdg.crl. The root CA is publishing normally the CRLs + deltas in its default folder. When I launch the SSTP, I get an 0x80092013 error saying the server for CRL check is offline ! If I do from my Win7 (outside corp LAN) a certutil -verify -urlfetch CArootcert (from the ROOT CA cert for instance) I should get "verified" for the HTTP URL but : U:\>certutil -verify -urlfetch c:\carootTutiac.cer Émetteur: CN=W2K3-CAROOT-HDG DC=hdg DC=local Objet: CN=W2K3-CAROOT-HDG DC=hdg DC=local Numéro de série du certificat : 5d82a95b6f315d87466a4ed7191ba0d7 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=W2K3-CAROOT-HDG, DC=hdg, DC=local NotBefore: 25/10/2010 14:36 NotAfter: 25/10/2015 14:44 Subject: CN=W2K3-CAROOT-HDG, DC=hdg, DC=local Serial: 5d82a95b6f315d87466a4ed7191ba0d7 Template: CA 0d 0a 24 71 22 a6 1a c1 bc 7b 6d de 7b c7 aa cd 25 71 22 f8 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA de certificat ---------------- Pas d'URL "Aucun" Heure : 0 ---------------- CDP de certificat ---------------- Échec "CDP" Heure : 0 Erreur lors de la récupération de l'URL : Plus de données sont disponibles . 0x800700ea (WIN32/HTTP: 234) ldap:///CN=W2K3-CAROOT-HDG(1),CN=hdg-exchange,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=hdg,DC=local?certif icateRevocationList?base?objectClass=cRLDistributionPoint Échec "CDP" Heure : 0 Erreur lors de la récupération de l'URL : Cette demande n'est pas prise en charge. 0x80070032 (WIN32: 50) file://\\hdg-exchange.hdg.local\CertEnroll\W2K3-CAROOT-HDG(1).crl Émetteur incorrect "Liste de révocation des certificats de base (0a)" Heure : 1 [2.0] http://mail-hdg.com/CRL/W2K3-CAROOT-HDG.crl Échec "CDP" Heure : 0 Erreur lors de la récupération de l'URL : Plus de données sont disponibles . 0x800700ea (WIN32/HTTP: 234) [2.0.0] ldap:///CN=W2K3-CAROOT-HDG,CN=hdg-exchange,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=hdg,DC=local?d eltaRevocationList?base?objectClass=cRLDistributionPoint Échec "CDP" Heure : 0 Erreur lors de la récupération de l'URL : Cette demande n'est pas prise en charge. 0x80070032 (WIN32: 50) [2.1.0] file://\\hdg-exchange.hdg.local\CertEnroll\W2K3-CAROOT-HDG+.crl Émetteur incorrect "Liste de révocation des certificats delta (0a)" Heure : 0 [2.0.2] http://mail-hdg.com/CRL/W2K3-CAROOT-HDG.crl ---------------- Protocole OCSP du certificat ---------------- Pas d'URL "Aucun" Heure : 0 -------------------------------- Exclude leaf cert: da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 Full chain: 0d 0a 24 71 22 a6 1a c1 bc 7b 6d de 7b c7 aa cd 25 71 22 f8 ------------------------------------ Stratégies d'émissions vérifiées: Tous Stratégies d'application vérifiées: Tous Cert est un certificat d'autorité de certification ERREUR : la vérification de l'état de révocation du certificat feuille a renvoyé La fonction de révocation n'a pas pu vérifier la révocation car le serveur de révocation était déconnecté. 0x80092013 (-2146885613) CertUtil: La fonction de révocation n'a pas pu vérifier la révocation car le serveur de révocation était déconnecté. CertUtil: -verify La commande s'est terminée correctement. Any help on that issue is welcome Thanx

I found at least one isse: your DeltaCRL is not available for external clients, because there are only LDAP URL for DeltaCRL and no HTTP. As the result, cexternal clients will be able to check BaseCRL, but not DeltaCRL and revocation checking will fail.http://en-us.sysadmins.lv

Hi superludox, Please follow what Vadims mentioned that check if it could correctly access w2k3-caroot-hdg.crl via URL path “ http://mail-hdg.com/CRL/w2k3-caroot-hdg.crl” form external remote computer . If yes, please try republish it and check if this issue persist . Meanwhile , as you know, this forum are geared to answer on the English version of the product. Although we would try our best to assist you here, for support for localized versions it would be best to use the support resources appropriate to that language. I would like to suggest that you post the problem in the appropriate forum to ensure that you are best served by the most suitable engineers. Thank you for your understanding. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanx for your help ! I will try to add the URL for delta CRL.

you need just to change existing paths and URLs by adding <DeltaCRLAllowed> variable to the and of file name (before file extension) and enable appropriate checkboxes.http://en-us.sysadmins.lv

I have a similar problem and would be very thankful if someone can provide some feedback. I have some external clients who recieve Error 0X80092013 (revocation server was offline) when connecting via SSTP. However, other external clients connect fine via SSTP. Any help please!

Hi superludox, Have tried the method that Vadims mentioned ? If there is any update on this issue, please feel free to let us know. We are looking forward to your reply. Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I have a similar problem and would be very thankful if someone can provide some feedback. I have some external clients who recieve Error 0X80092013 (revocation server was offline) when connecting via SSTP. However, other external clients connect fine via SSTP. Any help please! please show us the output from the client computer: certutil -verify -urlfetch <File.cer> where <file.cer> is SSTP certificate.http://en-us.sysadmins.lv

Hi, I've got this error when initiating my SSTP connection "The revocation function was unable to check revocation because the revocation server was offline.". I'm actually trying to disable the CRL check on my Seven client. What value must be changed in the registry in order to do this ? Thanks