BIG THX for this!!! Had the same error, this fixed the error.
Did you ever manage to find the root cause for this? We're having the same problem and obviously as you have mentioned, turning off the check for server revocation in a production environment is not advised.
I have log enabled, but there is no log there even though workplace join fails. why ?
I had the same issue in my lab despite having configured my PKI to publish CRL's to an HTTP location accessible to a non-domain joined client. In the end I resolved by...
1. Re-publishing (non-delta) CRL. Obviously my PKI had already published a CRL prior to me configuring an HTTP location and the Freshest CRL location in that already published CRL only contained the default LDAP location. After re-publishing the CRL, both LDAP and HTTP locations appeared in the Freshest CRL location
2. Clearing the CRL cache on the client to force it to go to the network and pull the re-published CRL. I used the information at blogs.technet.com/.../how-to-refresh-the-crl-cache-on-windows-vista.aspx to do this
After these two things, everything worked fine