Hi, I have setup a RAS VPN server on Windows 2008 R2. I have also setup a CA on 2008 R2 DC. All is working fine and I can install computer certificates on domain members and they can then connect to the network remotely using L2TP/IPSEC connection. I have one issue though. When I revoke that computers certificate the computer is still able to connect. I have checked the CRL list using the CA MMC snapin on the DC and the machine certificate appears there under list of revoked certificates. The CRL distribution point is set to the default - no changes have been made to this. I altered the CRL publication interval to 1 hour but only after the certificate was issued. Is there a way to force the authenticating server or client to check the CRL before allowing the nachine to connect? I have also seen that the client has a cache of CRL responses - is there a way to clear this? Thanks. JP

Wait for the CRL to expire or for the next delta CRL to publish is the correct answer (you cannot go and delete the cache every time you go and revoke a certificate). What is your base CRL and delta CRl publication intervals? Brian

Hi Brian, Thanks for the response. The Delta CRL & CRL publication intervals are set to 1 hour. When the certificate was created the CRL publication interval was 1 week. Does this mean I need to wait 1 week before the certificate is no longer trusted and that computer can no longer connect? Regards, JP

If the server downloaded and cached a CRL good for a week, then yes you must wait that long It sounds like you need to review your revocation settings against your revocation policy requirements. For example, if you need a revocation to be recognized by the next morning, then you can still use weekly base CRLs, but must publish a minimum of daily delta CRLs that are published first thing in the morning. Brian

I have removed the certificate that was installed and installed a new certificate with teh CRL publication set to 1 hour. I have revoked this certificate and will wait 1 hour and check if the client can still connect. Is there any logs to check to ensure that the client or the RAS server is actually attempting to read the CRL and verify that the certificate is valid? JP

Please note that strong CRL checking is disabled by default for IPSec in the Windows platform up to Windows Server 2008 R2. netsh advfirewall sh global ipsec Global Settings: --------------------------------------------------------------------- StrongCRLCheck 0:Disabled /Hasain

Thanks Hasain, I ran that command on the RAS Server and it showed up as disabled, as above. Where do I need to set this StrongCRLCheck? Should it be on the RAS Server, The workstations and/or the CA Server?` I set the value to 2 on the workstation & the RAS server and I am still able to connect with the revoked certificate.

It should be on the server. Have you restarted the IPSec Policy Agent, RRAS and IKE and AuthIP services after the change? /Hasain

Hi Hasain, I restarted the server after making the change and I can still connect with the revoked cert. JP

Ok, according to KB2351254 http://support.microsoft.com/kb/2351254 the Remote Access Service (RAS) on 2008 R2 ignores the global IPSec StrongCRLCheck setting and you need a hotfix and a new registry key to correct that behavior /Hasain

Thanks Hasain, I came across the hotfix above. When I run it however it tells me 'The update is not applicable to your computer' - I have made the registry change in the article and it does not appear to make any difference. I am currently attempting to publish the CRL to a publically accessible web server to see if that makes any difference. Although it is my understanding that it is the RAS server which checks the CRL and not the client. JP

The hotfix is for all supported x64-based versions of Windows Server 2008 R2, so it should install with no problems om your 2008 R2 server unless you have some special version, then contact Microsoft support to get a working version. Make sure your server can access the CRL as the CRL checking is performed at the RAS server side. /Hasain

Just to clarify, did you restarted the server after setting change?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, Yes I have restarted the server. I have a feeling I am missing something very simple which is allowing the machine the the revoked cert to connect. JP

Ok, can you run 'certutil -verify -urlfetch problemcert.cer' and show as the output? The command should be launched on the RRAS server (if you revoke remote client certificate). It seems that something is wrong in your configuration.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, I exported the certificate from the machine and copied it to d:\temp on the RRAS server. I then ran the command 'certutil -verify -urlfetch d:\temp\problemcert.cer' I have pasted the oputput below - please note I have replaced the name of my DC with 'DCSERVER' and the name of my domain with 'domain' Thanks for your assistance with this. JP Issuer: CN=domain-DCSERVER-CA DC=domain DC=local Subject: CN=PMO003.domain.local Cert Serial Number: 2e920d88000000000037 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) ChainContext.dwRevocationFreshnessTime: 50 Minutes, 43 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) SimpleChain.dwRevocationFreshnessTime: 50 Minutes, 43 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=4 Issuer: CN=domain-DCSERVER-CA, DC=domain, DC=local NotBefore: 15/09/2011 10:05 NotAfter: 14/09/2012 10:05 Subject: CN=PMO003.domain.local Serial: 2e920d88000000000037 SubjectAltName: DNS Name=PMO003.domain.local Template: Machine 77 7e e1 23 04 2e 94 ea b8 1f 05 51 f1 c1 69 aa 28 c8 62 05 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) ---------------- Certificate AIA ---------------- Wrong Issuer "Certificate (0)" Time: 0 [0.0] ldap:///CN=domain-DCSERVER-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (1)" Time: 0 [0.1] ldap:///CN=domain-DCSERVER-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority ---------------- Certificate CDP ---------------- Verified "Base CRL (3e)" Time: 0 [0.0] ldap:///CN=domain-DCSERVER-CA,CN=DCSERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Failed "CDP" Time: 0 Error retrieving URL: Error 0x80190193 (-2145844845) http://DCSERVER.domain.local/CertEnroll/domain-DCSERVER-CA.crl Failed "CDP" Time: 0 Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50) file://DCSERVER.domain.local/CertEnroll/domain-DCSERVER-CA.crl Verified "Base CRL (3e)" Time: 4 [3.0] http://crl.externaldomainname.com/crl/domain-DCSERVER-CA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 3e: Issuer: CN=domain-DCSERVER-CA, DC=domain, DC=local 48 bb 34 60 28 dd 70 09 b4 b9 86 31 6c 67 01 6f 5a 40 94 6d Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=domain-DCSERVER-CA, DC=domain, DC=local NotBefore: 06/09/2011 09:06 NotAfter: 06/09/2016 09:16 Subject: CN=domain-DCSERVER-CA, DC=domain, DC=local Serial: 4ddb416114e009a44c8d94a79717d14b Template: CA 38 ea 3e 95 1b 40 7c 30 69 82 1a 4c 66 8c 9a 50 18 cd b7 69 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: ec 9f e6 cd 13 b5 95 6c 82 28 6f da 70 70 80 09 c5 9b f6 35 Full chain: 27 d0 66 35 d1 48 cf da e2 6d f0 3c c7 85 53 16 62 30 9c 66 Issuer: CN=domain-DCSERVER-CA, DC=domain, DC=local NotBefore: 15/09/2011 10:05 NotAfter: 14/09/2012 10:05 Subject: CN=PMO003.domain.local Serial: 2e920d88000000000037 SubjectAltName: DNS Name=PMO003.domain.local Template: Machine 77 7e e1 23 04 2e 94 ea b8 1f 05 51 f1 c1 69 aa 28 c8 62 05 The certificate is revoked. 0x80092010 (-2146885616) ------------------------------------ Certificate is REVOKED Leaf certificate is REVOKED (Reason=0) CertUtil: -verify command completed successfully.