When attempting to connect to an RDS gateway from a machine that is not on the domain I receive the error "A revocation check could not be performed for the certificate". We're using an internal CA for the certificates in the RDS farm and the CRL lookup works fine for machines on the domain. When attempting to access http://servername/certenroll/certname.crl from the non-domain machine I can access it no worries. Note: The non-domain machine is running Win7 Embedded and the CA has been added to the Trusted Root Authority (Computer). When attempting a "certutil -urlfetch -verify certname.cer" on the certificate in question I receive the following: C:\Users\Administrator\Desktop>certutil -urlfetch -verify test.cer Issuer: CN=servername DC=domain DC=com DC=au Subject: E=administrator@domain.com.au CN=myserver.domain.com.au OU=<omitted> O=<omitted> L=<omitted> S=<omitted> C=<omitted> Cert Serial Number: 1b6680e6000100000489 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 20 Hours, 1 Minutes, 57 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 20 Hours, 1 Minutes, 57 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 12/15/2010 11:47 PM NotAfter: 12/15/2011 11:47 PM Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted> Serial: 1b6680e6000100000489 SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057 5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?cACertificate?base?objectClass=certificationAuthority ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Base CRL (0190)" Time: 0 [1.0] http://servername.domain.com.au/CertEnroll/servername.crl Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) [1.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?deltaRevocationList?base?objectClass=cRLDistributionPoint Failed "CDP" Time: 0 Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50) file://servername.domain.com.au/CertEnroll/servername.crl ---------------- Base CRL CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?deltaRevocationList?base?objectClass=cRLDistributionPoint ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 0190: Issuer: CN=servername, DC=domain, DC=com, DC=au 9b a4 6c 0d ce 27 fe fc a8 e1 6e 94 3e b5 3f c5 5f 06 ce 1c Application[0] = 1.3.6.1.5.5.7.3.1 Server AuthenticationCertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 3/15/2010 12:08 AM NotAfter: 12/12/2015 10:30 PM Subject: CN=servername, DC=domain, DC=com, DC=au Serial: 48e9cd0e5203d29947c6b6c9640e9bc0 Template: CA bd 03 7c e9 94 78 e2 e2 5b f0 5c f3 02 71 a1 00 78 bc 23 b7 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 5e 12 f5 da ff 73 e1 1d 6e 33 b0 0f b3 ab 9d 0d de 4d 7f 00 Full chain: a5 0c 5b 60 83 94 a9 4b 13 18 ce e1 ac c0 d1 1e 02 13 af 76 Issuer: CN=servername, DC=domain, DC=com, DC=au NotBefore: 12/15/2010 11:47 PM NotAfter: 12/15/2011 11:47 PM Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted> Serial: 1b6680e6000100000489 SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057 5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully. C:\Users\Administrator\Desktop> The problem is, when I check "Include in CRLs", all domain machines stop trusting the CA. I believe this is due to the following GPO setting: Te perform ceritificate-based authentication of users and computers, CAs must meet the following criteria - Registered in Active Directory only. When looking in the actual GPO itself, it appears there's no options configured and instead only an import option for a certificate. Should I just import the CAs certificate in to the GPO? If I join the domain it will work for 10 days and then receive the error. Please adviseDebbie Baldassini

On Thu, 12 May 2011 22:47:00 +0000, Debbie Baldassini wrote: ? ----------------? Certificate AIA? ---------------- ? Failed "AIA" Time: 0 ??? Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55) ??? ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?cACertificate?base?objectClass=certificationAuthority This is your problem. You've only setup an LDAP URL for the AIA location and you're non domain joined clients are not allowed access to Active Directory to retrieve any required intermediate certificates in the chain. Since they can't retrieve the intermediate certs, they can't check those certs for revocation and you get the kind of misleading error message that the revocation server is offline. You're going to need to add an HTTP location for AIA publishing, then renew/reissue all certs below the root CA. While you're fixing this error, you should also make the HTTP locations for both the CRLs and AIA publishing points first in order, and you should remove the file:// URL as that is not a supported protocol for either AIA or CRL retrieval. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca People who deal with bits should expect to get bitten. -- Jon Bentley