RemoteApps - Windows Server 2008 R2 - Revocation Check error - File Locations
Hi Me again, RemoteApps are working perfectly for everyday domain users.. but now I am trying to get it working for a Windows 7 Home Premium non-domain laptop. The domain user is connecting via VPN, and then using the remoteapp site, opens the program, but during log on gets a revocation check error. My original certificate only included a location to an LDAP location, I assume a non-domain laptop cannot access LDAP locations on a domain. Therefore I have created a network share on the server, that the user can access, and added an extension to the certificates to this network share. but within PKIView it is appearing as "Unable to Download" the syntax I use is: file://\\FQDN/Share$/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl I have republished the CRL and also revoked the CA Exchange certificate for the CA. LDAP still works fine, it is just this File location on the server itself that doesn't work, and of course revocation still fails for the user. If you need any more information please let me know. Thanks, -Tim
September 23rd, 2011 4:06pm

On Fri, 23 Sep 2011 13:06:35 +0000, Timjeens wrote: file://\\FQDN/Share$/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl I have republished the CRL and also revoked the CA Exchange certificate for the CA. LDAP still works fine, it is just this File location on the server itself that doesn't work, and of course revocation still fails for the user. "file" locations are not supported for CRL retrieval, you're going to have to use an HTTP URL. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca The attention span of a computer is only as long as its power cord.
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 4:12pm

ah.. I wasn't sure. Do I then need to use an OCSP? or is there a way I can do it with the Win Server 2008 R2 Standard? or is it only an Enterprise thing? Thanks, -Tim
September 23rd, 2011 6:30pm

You can optionally deploy OCSP, but just implementing an HTTP-based CRL that is accessible by all clients in sufficient. Brian
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 7:11pm

Hi, ok I have got rid of that, I have installed the CA Web Enrolment role, and added the http to the certificate extensions.. but it is now coming up with Unable to Download in PKIView. and browsing the site just says 403 forbidden.. Any insight? Am I missing Permissions somewhere? Thanks, -Tim
September 26th, 2011 6:56pm

I have managed to get it to show as OK in PKIView. I got it to work by enabling directory browsing, and not require SSL on the address... But I am still getting revocation errors. I ran Certutil -URL Test.cer on the computer with the issue and it shows as OK for the http address... though it says in the type "List of revoked certificate changes" next to it and not Base CRL as I was expecting (that is translated from the Dutch "lijst met wijzigingen in ingetrokken certificaten" so is not word for word exact I'm sure. I can also browse to the location specified in the http and download the CRL.. but I am still getting the Revocation errors. Please anybody Help. Thanks, -Tim
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2011 1:18pm

Have you cleared the CRL cache before trying again? You can do that by running the command: certutil -urlcache * delete /Hasain
September 28th, 2011 7:36pm

Have you cleared the CRL cache before trying again? You can do that by running the command: certutil -urlcache * delete /Hasain
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2011 7:36pm

On the user computer! /Hasain
September 29th, 2011 6:49am

Hi Again, Is that on the server or on the users computer? Cheers, -Tim
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 11:14am

Excellent, that has gotten it working. Though now I am getting another error but it doesn't affect it too much as it can be by-passed. I am getting a Name Mismatch error. "The server name on the certificate is incorrect" Requested name: Remote-1.Domain.corp Name in the cert: Remote-1 Never had this before, is there any way to fix this? Thanks, -Tim
September 30th, 2011 10:56am

The server name you type in the connect/address field must match the subject name or the subject alternative name in the certificate. This validation is part of the RDP server authentication. /Hasain
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2011 11:26am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics