RemoteApps - Windows Server 2008 R2 - Revocation Check error
Hi, I am trying to implement certificates for use in a RemoteApp website and programs. The Remoteapps all works fine when not using any certificates, so I know that set up is all correct. But when I add a certificate to the Remoteapp configuration, I end up with a certificate error. "A Revocation Check could not be performed for the certificate", "You may not proceed due to severity of the certificate errors" When I view the certificate, all the certificates in the path are "OK". The certificate is also present on the PC. The same certificate is also used to access the RemoteApp website, and no errors occur there. And so the certificate exists both on the Host and the workstation. Also... This error only occurs to any user that is not part of the same Active Directory Site, but are on the same domain. Any help will be very greatly appreciated. Thanks, -Tim
July 27th, 2011 6:11am

Please consider the following requirements The issuer of the certificate must be trusted by the client computer and the Root CA must be in the Trusted Root CA machine store The server certificate revocation information (CRL and/or OCSP) must be available to all clients at the time of connect /Hasain
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2011 6:52am

Hey Hasain, Looks like you're turning into my guardian angel ;) the certificate must be trusted by client as the web site uses the same certificate and has no certificate errors on it.. and the Root CA is in the Trusted Root Store, and is published there by GPO. I am connecting to the machine remotely via Remote Desktop, so it is on and communicating with our Network. -Tim
July 27th, 2011 7:14am

RDP requires strong certificate revocation checking when validation the server certificate. The revocation check is performed by the client computer and not by the RDP user process. This is why it is required the trust is in the computer store and not in the user store and that the CRL is reachable. The server certificate must as well have the Server Authentication application policy just like any web server certificate. To check the revocation check is working: save a local copy of the server certificate run the command: certutil -url servercert.cer make sure you can reach at least one of the CRL/OCSP URLs My pleasure helping out... /Hasain
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2011 7:31am

Hi Hasain, I am using a Custom RAS and IAS Server certificate to get it working.. which I think is Client and Server Authentication. I exported the RAS certificate I am using on the RD Server. and ran certutil - URL Test.Cer And it errors with Wrong Issuer.. for both CDP and AIA. -Tim
July 27th, 2011 8:00am

The template should be fine with Client and Server Authentication EKU Can you compare the CDP URLs from the server certificate and the CDP config of the Issuing CA? The CDP & AIA URLs in the certificate should be included in the CAs CDP URLs. What is the CDP and AIA status in Enterprise PKI for the issuing CA? If Ent. PKI reports no errors, try then to renew your server certificate. If Ent. PKI reports any errors make sure to clear all errors before proceeding. /Hasain
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2011 1:02pm

Can you compare the CDP URLs from the server certificate and the CDP config of the Issuing CA? The CDP & AIA URLs in the certificate should be included in the CAs CDP URLs. Hi Hasain, Not really sure how to do this? but I looked at the URLs given in the cerutil -url box and also looked at the extensions properties for the Issuing CA and they seem to correlate. Was just poking around and I got CDP Successful in the URL Retrieval Tool box, but AIA is still giving the same error.. Thing is, apart from this wrong issuer error, I've never had a problem with AIA, it has always downloaded properly I PKIView (and still is) Also when looking at URL Retrieval there are many certificates in it (7!) -Tim
July 28th, 2011 4:01am

I have just run Certutil -v -urlfetch -verify test.cer and this results in a error saying: ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. My layout is: Offline Root CA --> Issuing CA --> receivers. This seems like it is failing as it cannot talk to the Offline Root CA.. But still not sure why it is saying Wrong Issuer for AIA and not CDP. Thanks, -Tim
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 4:58am

Certutil lists all AIA URLs found in the certificate! AIA is not critical and the issuer is already trusted using GPO as you described previously. Now when your CDP retrival works have you tested to connect again? If still getting the same error message, what are the URLs of your CDP: certutil -getreg ca\crlpublicationurls /Hasain
July 28th, 2011 5:05am

Hi Hasain, Nope still the same Revocation Error.. but it doesn't look like its updated the certificate and all on the workstation I am trying to use remoteapp on? Do I need to reboot it? or delete the certificate and re-install it (on the workstation?) c:\Windows\System32\CertSrv\CertEnroll>certutil -getreg ca\crlpublicationurls HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAN2\CRLPublicationURLs: CRLPublicationURLs REG_MULTI_SZ = 0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl CSURL_SERVERPUBLISH -- 1 CSURL_SERVERPUBLISHDELTA -- 40 (64) 1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_SERVERPUBLISH -- 1 CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 CSURL_ADDTOCRLCDP -- 8 CSURL_SERVERPUBLISHDELTA -- 40 (64) CertUtil: -getreg command completed successfully. -Tim
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 5:45am

The server certificate does not need to be installed on any client as the client will get the certificate as part of the RDP connection. Its issuer is already trusted and that is the only requirements besides the revocation checking. Have you checked that the remote app (RDS) server has the correct certificate installed? Another thing is that you need to make sure the root CA CRL is as available as the one from the issuing CA. The revocation check is preformed for the complete certificate chain! Regarding the wrong issuer, has there been any renewal of your Root CA? /Hasain
July 28th, 2011 5:56am

Is the root certificate trusted in trusted roots in the the computer certificate store? Trusts to PKI structures should be published into Active Directory using certutil instead of Group Policies to be able to get the trust correctly populated into all computers in the forest, even if you promote new domains in the forest, all computers in the forest will have this trust. To simply the management of the trust of your root, publish the root certificate to Active Directory using the following command: certutil -f -dspublish yourrootcafile.cer RootCA After a forest wide replication and a group policy processing interval has occured, you can delete your old group policy and take a look at the trust in "Manage AD Containers" in pkiview.msc instead. The only reason you want to use Group Policies for PKI trust distribution is when you want to limit the trust to a specific set of users, computers, sites and/or domains in your environment.// Fredrik "DXter" Jonsson - http://www.poweradmin.se
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 6:22am

Hi Guys, Thanks for all your help. I Managed to get it working now. Seems there were some extra certificates that had been expired that were getting in the way, once I cleared it all up it all started playing ball. Thanks, -Tim
August 1st, 2011 2:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics