Revocation list error on RDP 7.0 agains a RD 2008 R2 server
Hi, I have an issue I have no clue how to fix it. I have been discussing this on the 2008 R2 foruns, but maybe this is a client side issue. (the details are here http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/91c05025-f18a-4839-973f-42fceaf66a77#ca5aad74-89c2-4093-88df-9215e0a32d49 ) But focusing on the issue. From all my W7 machines (Ultimate and Professional) I get certificates revocation list errors that prevent my to use my RemoteApps. (the error just prevents me to continue). From my Vista clients (RDP 6.1) everything works just fine. My setting is: 2008 R2 (DC, CA, DNS, IIS, DCHP, Hyper-V, RRAS) Windows 7 Ultimate & Profession 32bit, 64 bit NOT in the domain. Created certificates on the server with alternative names (that match the public DNS names) and configured the CDP and AIA on the CA management to use HTTP. For troubleshooting I disabled the LDAP entries on CDP and AIA (just to eliminate causes), created new certs, and configured all the relevant services to use them. When issuing "certutil –verify –urlfetch corp.cer" I have the confirmation that the revocation URLs are fine. Additionaly I tried it on a Unix machine through wget utility on a diferent subnet (paranoid) and was able to download the crl files correctly. This IIS is available on the internet, there is no doubt and the files can be downloaded (see extract for one of the files fetch and the certutil results): R:\>wget -S http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl --2010-06-12 20:35:16-- http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl Resolving corp.webdisplay.pt... 213.22.80.170 Connecting to corp.webdisplay.pt|213.22.80.170|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Content-Type: application/pkix-crl Last-Modified: Sat, 12 Jun 2010 17:32:32 GMT Accept-Ranges: bytes ETag: "4856c3d55acb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Sat, 12 Jun 2010 19:35:15 GMT Connection: keep-alive Content-Length: 1839 Length: 1839 (1.8K) [application/pkix-crl] Saving to: `corp-WDSRV01-CA.crl' 100%[==================================================================================================>] 1,839 2010-06-12 20:35:16 (19.6 MB/s) - `corp-WDSRV01-CA.crl' saved [1839/1839] ---------------------------------------------- C:\temp>certutil -verify -urlfetch corp.cer Issuer: CN=corp-WDSRV01-CA DC=corp DC=webdisplay DC=pt Subject: CN=corp.webdisplay.pt Cert Serial Number: 1c41fbdb000000000023 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 2 Hours, 31 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 2 Hours, 31 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt NotBefore: 12-06-2010 12:31 NotAfter: 11-06-2012 12:31 Subject: CN=corp.webdisplay.pt Serial: 1c41fbdb000000000023 SubjectAltName: DNS Name=corp.webdisplay.pt, DNS Name=wdsrv01.corp.webdisplay pt, DNS Name=wdsrv02.corp.webdisplay.pt, DNS Name=redmine.corp.webdisplay.pt Template: WebServer b7 f3 7b 69 a5 48 6f 44 27 f9 2a 9e 17 1a f9 9f e0 08 b0 76 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://corp.webdisplay.pt/CertEnroll/WDSRV01.corp.webdisplay.pt_corp- DSRV01-CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (56)" Time: 0 [0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA.crl Verified "Delta CRL (56)" Time: 0 [0.0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA+.crl ---------------- Base CRL CDP ---------------- OK "Delta CRL (57)" Time: 0 [0.0] http://corp.webdisplay.pt/CertEnroll/corp-WDSRV01-CA+.crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 56: Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt ec 77 b7 4a 5f b8 e4 71 23 b2 06 6f 5e 61 37 0c 74 f7 f1 74 Delta CRL 57: Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt 08 f3 d8 d9 59 35 51 f3 22 76 5a be cf 90 8b 5b 0a bc 77 a8 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt NotBefore: 21-03-2010 23:01 NotAfter: 21-03-2015 23:11 Subject: CN=corp-WDSRV01-CA, DC=corp, DC=webdisplay, DC=pt Serial: 15da4ae6996d23a44c896079f8451e47 c9 3b 77 24 aa 61 c9 e5 30 06 1c 55 3a 09 9b cf 26 ef fc 3f Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: e2 02 cc 23 b6 19 09 64 e2 f2 a6 2e a5 d6 31 d2 9c a3 e9 ce Full chain: 5b 64 0e 51 15 0d 7e 93 13 2f 1c b0 55 83 b4 51 f0 8a c9 a9 ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. I am out of ideias! I read thru tons of documents (both on technet and outside) and this seems to be a somewaht common problem to many using 2008 R2 and W7. I could use self-sign certificates (I did it before) but then why should I have to do it? As far as I know everything is correctly configured and the CRL are available. Before you ask, the CA root certificate is on the trusted root certificates of the Computer and not the user. I starting to feel this is an OS bug; not sure... Thank you all for your help. Luis Cordeiro
July 1st, 2010 1:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics