• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Client certificate authentication - unable to retrieve CRL

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Client certificate authentication - unable to retrieve CRL Page: [1]
Login
Message << Older Topic   Newer Topic >>
Client certificate authentication - unable to retrieve CRL - 26.Aug.2008 1:42:26 AM   
SpeedMaster

 

Posts: 15
Joined: 12.Feb.2007
Status: offline
Hi,
I have client certificate authentication enabled when publishing a web site. When a CRL installed on ISA Server (2006, Standard, SP1 with W2003 R2 SP2 Enterprise) expires, the remote clients, when trying to access a published website get an error #500 that their certificates are revoked. This is quite a common behavior when ISA Server cannot access an up to date CRL.
The Event Log on ISA Server says:




The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).




Just to make everything clear, CRL download system policy is enabled on ISA Server.
I've found here on this forum (http://forums.isaserver.org/fb.aspx?m=210012314), but in relation to ISA 2004, that
quote:

Apparently their is a problem with wspsrv.exe: If you don't have a CDP extension included in the ROOT certificate, this causes problems with the way ISA Server calls the CryptoAPI, leading to the "The certificate is revoked" error. 

So, seems that this is a much alike error. I contacted the CA, whether it is possible to include a CDP extension to the root certificate. It is not. So, is there a way to fix this problem of ISA Server interaction with CryptoAPI?
Thank you!
Post #: 1
RE: Client certificate authentication - unable to retri... - 28.Aug.2008 4:23:30 PM   
mylo

 

Posts: 144
Joined: 26.Mar.2002
Status: offline
There's a number of things that can go wrong here.. but I'm assuming that the CDP extensions have been published correctly to the appropriate distribution points.. check which is the primary CDP and whether ISA can qualify the CRL in question.. normally (at least in certificate services based implementations) extensions are not recommended published in a root certificate, which follows your statements...do you have pkiview.msc installed on the ISA server .. if so what does it report concerning the validity of the certs (i.e. with the CDP's)... it's in the Win2k3 support tools btw..

Sorry about the cryptic response.. but it's hard to work out what's not working on the info provided :-)

Cheers,
Mylo

(in reply to SpeedMaster)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Client certificate authentication - unable to retrieve CRL Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts