Client certificate authentication fails (Full Version)

All Forums >> [ISA Server 2004 General ] >> Web Publishing



Message


Howto -> Client certificate authentication fails (31.Aug.2004 4:41:00 PM)

When trying to connect to a site with SSL certificate authentication, I get following error in Internet Explorer:

Error Code: 500 Internal server error. The certificate is revoked. (although the client cert is still valid)

In the application log on the ISA server I see following message:

The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).

Setup:

Web listener on 10.10.10.1 (SSL cert authentication).
Web publishing rule info:
Name: Cert auth; Action: Allow; From: Anywhere; To: my.internalsite.net; Traffic: HTTPS;Listener:10.10.10.1;Public name: my.publicname.net; Path: /*;Bridging: Redirect to SSL; Users: All users

I have 2 CDPs defined: an LDAP path and an http path (to my.crl.net)

I can connect to the site with a user cert when swithing of verification of client certs. I can also access the "my.crl.net" site when logged on to the ISA server.




tshinder -> RE: Client certificate authentication fails (1.Sep.2004 5:57:00 PM)

Hi Howto,

I've seen this and its a CA issue, not an ISA firewall issue. You might try restarting the CA server.

HTH,
Tom




mdagoreau -> RE: Client certificate authentication fails (2.Sep.2004 11:50:00 AM)

Hi Howto,

Check that your isa server can access the CRL which must be published on your CA via web. To check this, get the CRL link in the details panel of your server certificate, open ie on the ISA server and enter the url.

If it doesn't work, check in your system policies if your authorized ISA to get CRLs. Check the name resolution too, since the url published might be the private one.

Matthieu




Howto -> RE: Client certificate authentication fails (2.Sep.2004 3:33:00 PM)

Hi mdagoreau,

I can access the CRL from ISA server and in the system policy CRL checks have been enabled.

Note: I can use VPN EAP (which also uses cert authentication).

Tom,

Restarting the CA had no effect. Might it have something to do with the fact that the CRL is published on another server than the CA itself?




tshinder -> RE: Client certificate authentication fails (18.Oct.2004 7:54:00 AM)

Hi Howto,

The ISA firewall will check based on the URL on the certificate. So as long as that URL is valid, that shouldn't be a problem.

HTH,
Tom




Howto -> RE: Client certificate authentication fails (9.Nov.2004 2:58:00 PM)

Hi Tom,

I've received a fix from Microsoft. Apparently their is a problem with wspsrv.exe:

If you don't have a CDP extension included in the ROOT certificate, this causes problems with the way ISA Server calls the CryptoAPI, leading to the "The certificate is revoked" error.




RuiFiske -> RE: Client certificate authentication fails (8.Dec.2004 5:02:00 PM)

I am having a very similar issue with an RSA Keon CA. Even if I put the certificates in the Trusted Root store of the ISA server (not good practise - but as a test). If checking the CRL is required then the certificate is rejected because the "CRL is invalid".

Did you ever resolve the issue, HowTo?

Are there extensions in Microsoft's CA certificates that are not present by default in other PKI CA certificates, that need to be added, such as the subjectKeyIdentifier?

Any advice would be much appreciated.




RuiFiske -> RE: Client certificate authentication fails (12.Jan.2005 2:50:00 PM)

I have managed to resolve this issue. As HowTo said, Microsoft (paradoxically) expects the Root CA's certificate to have a CDP [Eek!] . Once this has been done, then the entire certificate chain will be validated.

So it's all working fine with remote CRLs and CRL checking.

I now need to work out how to have strong authentication in an ISA chain, so there'll be another post soon!




Page: [1]