Revocation Check Failure for DirectAccess Client
I have a problem with a UAG DirectAccess client whereby when it uses IPHTTPS for connectivity, it only connects if the latest revocation lists (base and delta are defined) are physically pre-loaded on the client.
An external CDP is present with a public address and resolves via nslookup.
I have used the DA client's computer certificate and run 'certutil -url cert' to verify the retrieval of the AIA ands CDP URLs.
I have a web.config on the IIS server that enforces the double escaping to allow the delta CRl to be served up.
The DA client can access the external CDP via IE and view the directory where the CRLs are stored (directory browsing was temporarily enabled to check this).
Everything looks like it should work. names can be resolved, URLs have been validated, but the base and delta CRL don't seem to be downloaded from the external CDP to the external DA clients.
I'd appreciate any advice that could help me troubleshoot the problem further.
Note: there is a posting at
http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/c5acea9f-57d7-4469-a605-b6bec3cecc2a/ that discusses the DirectAccess issues in further detail.
Steve G
May 27th, 2011 6:09pm
Hi Steve,
Thanks for posting here.
Are you also using TMG or any other firewall device in this scenario ?
If yes, you may first check if the CRL Download system policy configuration group have been enabled and also check if the necessary ports have also been enabled on
your edge device.
The CRL download system policy is disabled
http://technet.microsoft.com/en-us/library/dd897106.aspx
System service name: CertSvc
Application protocol
Protocol
Ports
RPC
TCP
135
Randomly allocated high TCP ports¹
TCP
random port number between 1024 - 65535
random port number between 49152 - 65535²
¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
For more information please refer to the links below:
Selecting an IP-HTTPS certificate on the Forefront UAG DirectAccess server in SP1
http://technet.microsoft.com/en-us/library/gg274316.aspx
Configuring Certificate Revocation
http://technet.microsoft.com/en-us/library/cc771079.aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2011 6:30am
Hi Steve,
If there is any update on this issue, please feel free to let us know.
We are looking forward to your reply.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 1st, 2011 1:40pm
Tiger,
Sorry for the lack of an update, but I'm on holiday at present. I'm returning to the customer site on Monday, so I'll provide an update then.
Steve G
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2011 4:58pm
This now seems to be resolved. There were some problems with the proxy settings.
Steve G
June 6th, 2011 5:33pm