Welcome to ServerForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Testing CRLs

  
   Windows Server (Home) -> Windows Server Security RSS
Next:  Windows Firewall and File Sharing  
Author Message
Amihai Bareket

External


Since: Mar 01, 2005
Posts: 22



(Msg. 1) Posted: Sat Jul 22, 2006 10:32 am
Post subject: Testing CRLs
Archived from groups: microsoft>public>platformsdk>security, others (more info?)
We're working with Windows Server 2003 CA.

We had several issues were the CRL file that the CA published was unusable
for users (Smartcard Logon, ). CRL is published through HTTP (IIS).



The error message we get is -

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 9
The client has failed to validate the Domain Controller certificate for
my.domain. The following error was returned from the certificate validation
process: The revocation function was unable to check revocation because the
revocation server was offline.



The error message is not the issue here. Publishing a new CRL and rebooting
the DCs usually sorts the problem.



We want to create a script that will run automatically and tests the CRL
every time it's published by the CA before we transfer it to the IIS server.



Any ideas?



Thanks,



Amihai

 >> Stay informed about: Testing CRLs 
Back to top
Login to vote
Brian Komar

External


Since: Sep 20, 2004
Posts: 21



(Msg. 2) Posted: Mon Jul 24, 2006 7:24 am
Post subject: Re: Testing CRLs [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
In article , says...
>
> Event ID: 9
> The client has failed to validate the Domain Controller certificate for
> my.domain. The following error was returned from the certificate validation
> process: The revocation function was unable to check revocation because the
> revocation server was offline.
>
>
>
This type of error is not typically due to a malformed CRL. This error message is typically
displayed when there are errors in the AIA or CDP extension of a certificate in the
certificate chain.
To troubleshoot, export a certificate (such as the domain controller certificate) to a file,
and then run "certutil -verify -urlfetch <dccert.cer> and post the output to the newsgroup.
This should show where the errors are.

Brian

 >> Stay informed about: Testing CRLs 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Keeping expired certificates in CRLs - Is there a way to keep expired certificates in the CRL (using Windows Server 2003 Certificate Services)? I think I've seen discussions about this previously, but I have not managed to find the thread. Regards, Lars Olaussen Isolauss@hotmail.com

How get "log on locally" users and groups programatically? - Hi, Spent nearly 8 hours googling and trying code on this yesterday without much success. I'd like to write a .NET application (using .NET primitives, older Win32 calls, or WMI etc) to work out which users can log onto a machine the application is..

Apache on W2k Server - Does anyone know of ANY legitimate reason why two unkillable instances of Apache would be running on an internal non-web server? Apache has not been installed by anyone legitimately. The only software installed is Veritas Backup Exec and a home-grown..

Certificate web requests question - We have a web site that does Kerberos proxy for our web sites. For user education reasons, I would like to use the proxy for user authentication when requesting certificates. The proxy page authenticates the user and returns a UID to the calling page,....

Smart Card Only authentication - Hi, I've got my Windows 2000 server successfully authenticating using smart cards and everything is working fine. What I would like to do is actually disable keyboard login on the workstation (even if the SmartCard reader isn't present if possible) - is...
   Windows Server (Home) -> Windows Server Security All times are: Pacific Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]