none
Error: Fallo comprobación de revocación para certificado

    Question

  • Saludos;

    Tengo instalado un Win 2008 R2, no esta asociado a ningun dominio, trabaja sobre un Workgroup.

    Tiene instalado Terminal Server y Servicio de Certificados (AD-CA).

    He generado un certificado para el Servidor de TS, con el servicio de Certificados.

    Al intentar acceder desde internet; con SO Win7 al TS usando RDP 6.1 aparece un mensaje que dice:

    [mensaje]

    -Errores de certificado:

    --Se produjeron los siguientes errores al validar el certificado del equipo remoto:

    --- No se puede realizar una comprobación de revocación para el certificado.

    [/mensaje]

     

    Solo sucede con clientes Win7, ya que WinXP no presentan problemas.

    Como tenia el mismo escenario montado con Windows 2003 SP2, compare los certificados de las Auoridades Certificantes-CA que emiten los correspondientes certificados para el servidor de TS y encontre que el Certificado de la CA del equipo con Win2008 R2 no posee un item en el detalle del certificado que dice: "Puntos de Distribución CRL" que si existe en el certificado de la CA del Win 2003.

    Ademas compare los certificados de servidor emitidos por ambas CA, Ambos tienen los itemas "Puntos de distribución CRL" y "Acceso a la información de entidad emisora" que apuntan a direcciones locales a mi red LAN del tipo:

    [Para certificado servidor emitido en W2k3]

    [1]Punto de distribución CRL

    Nombre del punto de distribución:

    Nombre completo:

    Dirección URL=http://w2k3/CertEnroll/CA.crl

    Dirección URL=file://\\w2k3\CertEnroll\CA.crl

    [/Para certificado servidor emitido en W2k3]

    ...y...

    [Para certificado servidor emitido en W2k8]

    [1]Punto de distribución CRL

    Nombre del punto de distribución:

    Nombre completo:

    Dirección URL=file://W2K8/CertEnroll/CA.crl

    [/Para certificado servidor emitido en W2k8]

     

    Podria estar aquí el problema... como lo soluciono?

    Alguien podria orientarme en como solventar el mensaje de error que solo se genera usando Remote Descktop 6.1 en Win7?

    Desde ya, muchisimas gracias.

    Mario.

     

    Monday, December 13, 2010 2:54 PM

Answers

All replies

  • Hi Mario,

     

     

    Can you re-post this thread in English? Or you can post it to the relevant forum through the following link.

     

    http://technet.microsoft.com/en-us/SelectLocale?fromPage=http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fms376608

     

     

    Thanks.

    Tuesday, December 14, 2010 8:02 AM
    Moderator
  • Sorry Alan;

    I have installed a Win 2008 R2, not associated with any domain, working on a Workgroup.

    Installed Terminal Server and Certificate Services (AD-CA).

    I have generated a certificate for the TS Server, with Service Certificates.

    When trying to access from the Internet, with SO Win7 the RDP 7.0 TS using a message that says:

    [message]

    Errors of certificate:

    The following error occurred validating the certificate of the remote computer:
    Can not perform a check for certificate revocation.

    [/message]

     
    Only happens with Win7 clients, with WinXP no problems!

    Since I had the same stage set up with Windows 2003 SP2, compare the CA certificates and found that the CA certificate on your computer with Win2008 R2 does not have an item in the detail of the certificate that says, "CRL Distribution Points"; that *exists* in the CA certificate of Win 2003.

    Also compared the server certificates issued by both CA, both have the item "CRL Distribution Points" and "Access to CA information" pointing to local addresses of my LAN:

    [W2k3 server certificate]

    [1] CRL Distribution Point

    Distribution Point Name:

    Full name:

    URL = http://w2k3/CertEnroll/CA.crl

    URL = file: / / \ \ w2k3 \ CertEnroll \ CA.crl

    [/W2k3 server certificate]

    ... and ...

    [W2K8 server certificate]

    [1] CRL Distribution Point

    Distribution Point Name:

    Full name:

    URL = file: / / W2K8/CertEnroll/CA.crl

    [/W2k8 server certificate]

     

    Could be the problem here ... How can I fix?
    It would be possible to configure that the certification system does not check certificate revocation lists; CRL.

    Could someone guide me on how to resolve the error message is generated using only Remote Descktop 7.0 in Win7?

    Of course, many thanks.

    Mario.
    Wednesday, December 15, 2010 2:08 PM
  • Hi,

     

    Does the CA server belong to AD? If so, you need to publish the CRL to an HTTP location in order to the workgroup client computer can download the CRL.

     

    For more information, you can refer to the “CRL Best Practices” section of the following article:

     

    Creating Certificate Policies and Certificate Practice Statements

    http://technet.microsoft.com/en-us/library/cc780454(WS.10).aspx

     

     

    In addition, this certificate should store in Trusted Root CAs in client computer store, and you may get any clue from the following thread.

     

    Certificate revocation check from external network

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/91c05025-f18a-4839-973f-42fceaf66a77/

     

     

    Thanks.

    Friday, December 17, 2010 6:14 AM
    Moderator