we have 2 windows 2008 servers - TS gateway and Terminal Server. Certificates for both of them were issued by local CA, but CDP and AIA fields are correct external urls, that are available. Connection from Windows 7 fails. I'm trying to troubleshoot it: C:\Users\administrator\Desktop>certutil -verify -urlfetch local.cer C:\Users\administrator.domain\Desktop>certutil -verify -urlfetch localal.cer Issuer: CN=domain-DC-CA DC=domain DC=local Subject: CN=win08-termServ.domain.local Cert Serial Number: 27bf0aca000000000014 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_localAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 1 Days, 2 Hours, 29 Minutes, 2 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 1 Days, 2 Hours, 29 Minutes, 2 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=domain-DC-CA, DC=domain, DC=local NotBefore: 31.08.2010 10:56 NotAfter: 31.08.2011 10:56 Subject: CN=win08-termServ.domain.local Serial: 27bf0aca000000000014 Template: GOST Computer 62 43 6f 48 44 08 67 e3 51 7b c5 6c 8e ae db af 45 a8 d1 bd Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://win08-termserv.domain.local/DC.domain.local_domain-DC-CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (27)" Time: 0 [0.0] http://win08-termserv.domain.local/domain-DC-CA.crl Old Base CRL "Delta CRL (27)" Time: 0 [0.0.0] http://win08-termserv.domain.local/domain-DC-CA.crl ---------------- Base CRL CDP ---------------- OK "Base CRL (27)" Time: 0 [0.0] http://win08-termserv.domain.local/domain-DC-CA.crl Old Base CRL "Delta CRL (27)" Time: 0 [0.0.0] http://win08-termserv.domain.local/domain-DC-CA.crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 27: Issuer: CN=domain-DC-CA, DC=domain, DC=local 5c a5 6e ed 97 e9 ad 04 06 8e 5a 34 d8 1c f4 82 52 9c af d1 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=domain-DC-CA, DC=domain, DC=local NotBefore: 13.08.2010 12:00 NotAfter: 13.08.2015 12:10 Subject: CN=domain-DC-CA, DC=domain, DC=local Serial: 39943e8178430dbb4798619ac146667c e8 1e f5 2b 66 24 99 13 78 64 27 2a 1c 07 c1 50 46 9f dc 0a Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 1e ce 44 c2 c4 16 dd 3e a9 27 12 57 40 87 42 6c ed 39 af c8 Full chain: b8 28 a4 c5 23 4f 2a 87 61 03 92 66 ca a3 a1 3f 6a e9 f1 ba Issuer: CN=domain-DC-CA, DC=domain, DC=local NotBefore: 31.08.2010 10:56 NotAfter: 31.08.2011 10:56 Subject: CN=win08-termServ.domain.local Serial: 27bf0aca000000000014 Template: GOST Computer 62 43 6f 48 44 08 67 e3 51 7b c5 6c 8e ae db af 45 a8 d1 bd The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully. I need help to decipher it all - crl is available (both crl and delta), what's leaf certificate then? and how can it be offline if it's on the same machine? The strange thing, that Windows XP SP3 with rdc 7 work perfectly.

Hi, To better understand the issue, please help collect the following information: What error message do you encounter when you RDP to the Terminal Server from Windows 7? Please run certutil -getreg ca\CRLPublicationURLs on the CA server and post the output information here. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

The problem was with 3rd party CSP we have to use. It's ok now, thanks.

Thanks for your update.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.