Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Client certificate authentication - unable to retrieve CRL
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Client certificate authentication - unable to retrieve CRL - 26.Aug.2008 1:42:26 AM
|
|
|
SpeedMaster
Posts: 12
Joined: 12.Feb.2007
Status: offline
|
Hi,
I have client certificate authentication enabled when publishing a web site. When a CRL installed on ISA Server (2006, Standard, SP1 with W2003 R2 SP2 Enterprise) expires, the remote clients, when trying to access a published website get an error #500 that their certificates are revoked. This is quite a common behavior when ISA Server cannot access an up to date CRL.
The Event Log on ISA Server says:
The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).
Just to make everything clear, CRL download system policy is enabled on ISA Server.
I've found here on this forum (http://forums.isaserver.org/fb.aspx?m=210012314), but in relation to ISA 2004, that
quote:
Apparently their is a problem with wspsrv.exe: If you don't have a CDP extension included in the ROOT certificate, this causes problems with the way ISA Server calls the CryptoAPI, leading to the "The certificate is revoked" error.
So, seems that this is a much alike error. I contacted the CA, whether it is possible to include a CDP extension to the root certificate. It is not. So, is there a way to fix this problem of ISA Server interaction with CryptoAPI?
Thank you!
|
|
|
|
|
RE: Client certificate authentication - unable to retri... - 28.Aug.2008 4:23:30 PM
|
|
|
mylo
Posts: 138
Joined: 26.Mar.2002
Status: offline
|
There's a number of things that can go wrong here.. but I'm assuming that the CDP extensions have been published correctly to the appropriate distribution points.. check which is the primary CDP and whether ISA can qualify the CRL in question.. normally (at least in certificate services based implementations) extensions are not recommended published in a root certificate, which follows your statements...do you have pkiview.msc installed on the ISA server .. if so what does it report concerning the validity of the certs (i.e. with the CDP's)... it's in the Win2k3 support tools btw..
Sorry about the cryptic response.. but it's hard to work out what's not working on the info provided :-)
Cheers,
Mylo
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
