Revocation Check and Automatic Placement
Hi Folks,
I have a Windows Server 2008r2 Domain Controller that is also a Certificate Authority and a RD Gateway server. And things are working quite nicely, Thank you -- with two minor exceptions. These are probably easy questions:
1) When I use the RDP client on a Windows 7 notebook from outside my subnet to connect to a desktop inside my subnet, almost everything works perfectly, he said with a bit of pride... However, I am warned during the connection dialogue that "A certificate
revocation check could not be performed." This is for the certificate associated with the
desktop, not with the RD Gateway. Is this a problem with the Windows 7 notebook client that is requesting the connection, the certificate associated with the remote desktop machine, or is
this a configuration problem with my Certificate Authority who is not serving the CRL? The same check had to have been done for the RD Gateway machine earlier in the transaction and did not generate any warnings.
2) When I try to install my CA Trust Anchor in the "Trusted Root Certificate Authorities" using the Web Service http://.../CertSrv things go quite smoothly, but not completely correctly. I am presented with a list and the correct CA Trust
Anchor is there on the list. When I "Open" it I have an "Install Certificate" button on the dialogue, which offers me the option to let him decide where this certificate should go, and it does not go to the correct place. In fact, I can't see that
it goes anywhere. I need to explicitly address the "Trusted Root Certificate Authorities" store before this works correctly. It is not clear to me why this doesn't work as advertised -- the certificate template is "CA", and that is pretty
clear. Any thoughts on this?Thanks for the help,
Chris.
August 17th, 2012 4:08pm
Hi Chris,
1) when you connect via RDG the certificate of the server is checked as well as the revocation status. That means your client must trust the root CA certificate of the server's RDP certificate (make sure that you not use the auto-generated one) and your
client must be able to check the revocation status. You may need to publish the CRL to the internet, hopefully you have chosen a public domain name in your alias and that you not using LDAP only.
2) yep, that is a "feature". In Windows 8/Server 2012 MS added a option for the import wizard to address that. For all Windows version before you have to hand-pick the store location.
Regards,
Lutz
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2012 6:58pm
Hi Lutz,
1) ... Desktop... I know what a CRL is and how it is supposed to be used, thanks. CRL Management is supposed to be a part of Certificate Authentication and is not something I should
have to manage -- this is why we have Certificate Authorities. So, why is mine not working? Where can I look for explanations for the client NOT being able to perform a certifacte revocation check?
2) Not worth continuing the discussion, since I know what he does and I can easily have him do the right thing.Thanks for the help,
Chris.
August 19th, 2012 2:16pm
Hi Chris,
not sure if I got it right. The CRL is issued by a Certification Authority to a file system or Active Directory. In the extensions tab you can configure what information is included in a certificate so that a client can download the CRL and verify it. You
can configure a HTTP and/or LDAP CRL location. In any case the client must be able to download the CRL from there.
Microsoft implemented the CRL checking for RDP 7 clients and to avoid doctoring around on clients I recommend to make the CRL available to all clients.
From another thread I found the answer you can not disable the CRL checking for RDP 7 clients.
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/f91beabe-9143-4908-8469-664feaeec3d9
Regards,
Lutz
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2012 2:37pm
Hi Chris,
not sure if I got it right. The CRL is issued by a Certification Authority to a file system or Active Directory. In the extensions tab you can configure what information is included in a certificate so that a client can download the CRL and verify it. You
can configure a HTTP and/or LDAP CRL location. In any case the client must be able to download the CRL from there.
Microsoft implemented the CRL checking for RDP 7 clients and to avoid doctoring around on clients I recommend to make the CRL available to all clients.
From another thread I found the answer you can not disable the CRL checking for RDP 7 clients.
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/f91beabe-9143-4908-8469-664feaeec3d9
Regards,
Lutz
August 19th, 2012 2:47pm