Welcome to ServerForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Testing CRLs

  
   Windows Server (Home) -> Windows Server Security RSS
Next:  Windows Firewall and File Sharing  
Author Message
Amihai Bareket

External


Since: Mar 01, 2005
Posts: 22



(Msg. 1) Posted: Sat Jul 22, 2006 10:32 am
Post subject: Testing CRLs
Archived from groups: microsoft>public>platformsdk>security, others (more info?)
We're working with Windows Server 2003 CA.

We had several issues were the CRL file that the CA published was unusable
for users (Smartcard Logon, ). CRL is published through HTTP (IIS).



The error message we get is -

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 9
The client has failed to validate the Domain Controller certificate for
my.domain. The following error was returned from the certificate validation
process: The revocation function was unable to check revocation because the
revocation server was offline.



The error message is not the issue here. Publishing a new CRL and rebooting
the DCs usually sorts the problem.



We want to create a script that will run automatically and tests the CRL
every time it's published by the CA before we transfer it to the IIS server.



Any ideas?



Thanks,



Amihai

 >> Stay informed about: Testing CRLs 
Back to top
Login to vote
Brian Komar

External


Since: Sep 20, 2004
Posts: 21



(Msg. 2) Posted: Mon Jul 24, 2006 7:24 am
Post subject: Re: Testing CRLs [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
In article <uz6UREWrGHA.3412 DeleteThis @TK2MSFTNGP02.phx.gbl>, amihai73 DeleteThis @hotmail.com says...
>
> Event ID: 9
> The client has failed to validate the Domain Controller certificate for
> my.domain. The following error was returned from the certificate validation
> process: The revocation function was unable to check revocation because the
> revocation server was offline.
>
>
>
This type of error is not typically due to a malformed CRL. This error message is typically
displayed when there are errors in the AIA or CDP extension of a certificate in the
certificate chain.
To troubleshoot, export a certificate (such as the domain controller certificate) to a file,
and then run "certutil -verify -urlfetch <dccert.cer> and post the output to the newsgroup.
This should show where the errors are.

Brian

 >> Stay informed about: Testing CRLs 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Keeping expired certificates in CRLs - Is there a way to keep expired certificates in the CRL (using Windows Server 2003 Certificate Services)? I think I've seen discussions about this previously, but I have not managed to find the thread. Regards, Lars Olaussen Isolauss@hotmail.com
   Windows Server (Home) -> Windows Server Security All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]