Revocation list error on RDP 7.0 agains a RD 2008 R2 server
Hi,
I have an issue I have no clue how to fix it. I have been discussing this on the 2008 R2 foruns, but maybe this is a client side issue. (the details are here
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/91c05025-f18a-4839-973f-42fceaf66a77#ca5aad74-89c2-4093-88df-9215e0a32d49 )
But focusing on the issue. From all my W7 machines (Ultimate and Professional) I get certificates revocation list errors that prevent my to use my RemoteApps. (the error just prevents me to continue).
From my Vista clients (RDP 6.1) everything works just fine.
My setting is:
2008 R2 (DC, CA, DNS, IIS, DCHP, Hyper-V, RRAS) Windows 7 Ultimate & Profession 32bit, 64 bit NOT in the domain.
Created certificates on the server with alternative names (that match the public DNS names) and configured the CDP and AIA on the CA management to use HTTP. For troubleshooting I disabled the LDAP entries on CDP and AIA (just to eliminate causes),
created new certs, and configured all the relevant services to use them.
When issuing "certutil –verify –urlfetch corp.cer" I have the confirmation that the revocation URLs are fine. Additionaly I tried it on a Unix machine through
wget utility on a diferent subnet (paranoid) and was able to download the crl files correctly. This IIS is available on the internet, there is no doubt and the files can be downloaded (see extract for one of the files fetch and the certutil
results):
R:\>wget -S
http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl
--2010-06-12 20:35:16--
http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl
Resolving corp.webdisplay.pt... 213.22.80.170
Connecting to corp.webdisplay.pt|213.22.80.170|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 12 Jun 2010 17:32:32 GMT
Accept-Ranges: bytes
ETag: "4856c3d55acb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 12 Jun 2010 19:35:15 GMT
Connection: keep-alive
Content-Length: 1839
Length: 1839 (1.8K) [application/pkix-crl]
Saving to: `corp-WDSRV01-CA.crl'
100%[==================================================================================================>] 1,839
2010-06-12 20:35:16 (19.6 MB/s) - `corp-WDSRV01-CA.crl' saved [1839/1839]
----------------------------------------------
C:\temp>certutil -verify -urlfetch corp.cer
Issuer:
CN=corp-WDSRV01-CA
DC=corp
DC=webdisplay
DC=pt
Subject:
CN=corp.webdisplay.pt
Cert Serial Number: 1c41fbdb000000000023
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 2 Hours, 31 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 2 Hours, 31 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
NotBefore: 12-06-2010 12:31
NotAfter: 11-06-2012 12:31
Subject: CN=corp.webdisplay.pt
Serial: 1c41fbdb000000000023
SubjectAltName: DNS Name=corp.webdisplay.pt, DNS Name=wdsrv01.corp.webdisplay
pt, DNS Name=wdsrv02.corp.webdisplay.pt, DNS Name=redmine.corp.webdisplay.pt
Template: WebServer
b7 f3 7b 69 a5 48 6f 44 27 f9 2a 9e 17 1a f9 9f e0 08 b0 76
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://corp.webdisplay.pt/CertEnroll/WDSRV01.corp.webdisplay.pt_corp-
DSRV01-CA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (56)" Time: 0
[0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl
Verified "Delta CRL (56)" Time: 0
[0.0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (57)" Time: 0
[0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 56:
Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
ec 77 b7 4a 5f b8 e4 71 23 b2 06 6f 5e 61 37 0c 74 f7 f1 74
Delta CRL 57:
Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
08 f3 d8 d9 59 35 51 f3 22 76 5a be cf 90 8b 5b 0a bc 77 a8
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
NotBefore: 21-03-2010 23:01
NotAfter: 21-03-2015 23:11
Subject: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt
Serial: 15da4ae6996d23a44c896079f8451e47
c9 3b 77 24 aa 61 c9 e5 30 06 1c 55 3a 09 9b cf 26 ef fc 3f
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
e2 02 cc 23 b6 19 09 64 e2 f2 a6 2e a5 d6 31 d2 9c a3 e9 ce
Full chain:
5b 64 0e 51 15 0d 7e 93 13 2f 1c b0 55 83 b4 51 f0 8a c9 a9
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
I am out of ideias! I read thru tons of documents (both on technet and outside) and this seems to be a somewaht common problem to many using 2008 R2 and W7.
I could use self-sign certificates (I did it before) but then why should I have to do it?
As far as I know everything is correctly configured and the CRL are available.
Before you ask, the CA root certificate is on the trusted root certificates of the Computer and not the user.
I starting to feel this is an OS bug; not sure...
Thank you all for your help.
Luis Cordeiro
July 1st, 2010 1:11am