none
Some windows 10 clients does not download CRL from internal CA? RRS feed

  • Question

  • Hi,

    First off all - this is not my expertise so have patience with me please :) Also, if this post should be published in another sub-forum - please advise.

    Background:

    I have configured a wireless network (EAP-TLS) which requests access via a NPS server. The clients are granted access via a AD security group and a machine certificate, which is published from our internal CA. For the majority of the clients there is no issues, but for some (maybe one in 20 machine) there is an error on the NPS server with event ID 6273.

    "Network Policy Server denied access to a user.

    .....

    Reason: The revocation function was unable to check revocation because the revocation server was offline.

    "

    What I've looked in to:

    From the client i checked the cached CRL with 'certutil -urlcache CRL' - but the http entry I am looking for is missing. I used an ethernet cable to connect to our corporate network and browsed the site from Edge manually - with success. However, when I restarted the machine the entry was still not on the machine.  I'm no PKI expert so perhaps you can enlight me what I am missing?

    The https extension is:

    http://FQDN/CertEnroll/FakeName%20Root%20CA%202016.crl

    CRL publishing paramters is 3 days and 12 hours for delta.

    Also, there is no LDAP extention - even though there is one on the published machine certificate:

    ldap:///CN=FakeName%20Issuing%20CA%202016,CN=hostname,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=FakeDomain,DC=no?certificateRevocationList?base?objectClass=cRLDistributionPoint.

    For http extension:

    Checked - 'Include in CRLs. Clients use this to find Delta CRL locations.'

    Checked - 'Include in the CDP extension of issued certificates.'

    Not checked - 'Include in IDP extension of issued CRLs.'

    for ldap extension:

    Checked - 'Publish CRLs to this location.'

    Checked - 'Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.'

    Checked - 'Include in CRLs. Clients use this to find Delta CRL locations.'

    Checked - 'Include in the CDP extension of issued certificates.'

    Checked - 'Publish Delta CRLs to this location'.

    Not checked - 'Include in IDP extension of issued CRLs.'

    Looking forward to you kind guidance,

    with regards

    ITB

    Tuesday, November 5, 2019 8:57 AM

Answers

  • Hi,
    I am so happy we find some related information. 

    On one problematic client, we can try to find one prolematic certificate and request new certificate from the new CA and replace the prolematic certificate by the new certificate.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by MrGiraff Friday, November 22, 2019 8:34 AM
    Thursday, November 21, 2019 6:27 AM
    Moderator

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Is our CA one-tier CA or two-tier CA?

    We can try to check if our AD CS service is running on CA server.




    If it is stopped, we need to start the AD CS service. If we can not start the AD CS service, we can try to run (run this from an elevated command prompt) the following command to start this service:

    certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

    And we  should now be able to start the CA and get on with the business of troubleshooting.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 6, 2019 9:31 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 8, 2019 5:59 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 11, 2019 9:42 AM
    Moderator
  • Dear Daisy,

    Sorry for this late reply, please find relevant information below to answer some questions. 

    This is a environment with a Root CA and a Issuing CA.

    The Root CA does not have any CRL Distribution attributes and is offline. 

    The Issuing CA only have CDP http to itself.

    The NPS server certificate does not have a CDP.

    The client certificate does have a CDP (for both ldap and and URL).

    in regards to the command below - I do not really want to disable CRL check for all certificates - since it does work on the majority of clients.

    certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

    Also the CA is started - 

    BR

    Theodor

    • Edited by MrGiraff Monday, November 11, 2019 12:50 PM
    Monday, November 11, 2019 12:07 PM
  • Hi,
    We can check if our CA environment is healthy.

    On the subCA server, type pkiview.msc on Search.






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 12, 2019 6:10 AM
    Moderator
  • Dear Diasy,

    The AIA Location #2 is 'unable to download' - but when I open a browser from my Intermediate CA and paste the URL I can download the file. 

    Any advice?

    BR

    Theodor

    Tuesday, November 12, 2019 12:05 PM
  • Hi,
    We can try to repair the CA environment:

    1. On the Sub CA, we can re-publish New CRL and Del CRL only.

    Right click Revoked Certificates->All Tasks->Publish->New CRL and Del CRL only.



    2. Refresh PKIview.msc.

    3. If there is still error in PKIview.msc, we can check the AIA Location #2 through registry value and Extension tab, then compare if they are the same.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\CACertPublicationURLs




    1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
    C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt

    2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
    ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>

    2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt
    http://pki.fabrikam.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

    3. If they are the same in step 2, we can reset IIS service and reboot the IIS server.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 9:53 AM
    Moderator
  • Dear Daisy,

    I tried publishing new CRL and Delta CRL, without any luck. 

    I also checked the registry as per recommendation - and it differ some in regards to what you mentioned above. 

    So, this is what I see in regedit:

    http://FQDN/CertEnroll/%3%8%9.crl

    This is what I see in PKIview.msc:

    http://FQDN/CertEnroll/Intermediate_CA_Name.crl

    This is what I see in certsrv.msc->Properties->Extensions:

    http://FQDN/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

    This is confusing me somewhat - should I replace the extentions under properties to what you write above? 

    "http://pki.fabrikam.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt"

    Wednesday, November 13, 2019 12:24 PM
  • Hi,
    I think you check the AIA location #2 incorrectly.

    We should check AIA, not CDP.





    For AIA location #2 about the Sub CA:

    Registry: 
    http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt



    Extension :
    http://pki.fabrikam.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

    PKIview.msc:

    http://pki.fabrikam.com/CertEnroll/2016-2.Fabrikam.com_Fabrikam%20Issuing%20CA(1).crt





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 14, 2019 1:30 AM
    Moderator
  • Ahh - yes, you are correct, I looked at CDP not AIA. But the AIA Location 2# issue is now resolved and everything is with status "OK". 

    

    However, some users still experience NPS server error 6723.

    "Network Policy Server denied access to a user.

    .....

    Reason: The revocation function was unable to check revocation because the revocation server was offline."

    Any advice where to look next?

    Friday, November 15, 2019 11:28 AM
  • Hi,
    According to our description, we also need to check the AIA location about root CA. We need to check everything(AIA location and CDP location) about root CA is OK.










    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 1:06 AM
    Moderator
  • Thanks for your continuous replies Daisy, it is much appreciated!

    I can confirm the root CA appears to be working just fine.  

    With kind regards

    Theodor

    Monday, November 18, 2019 8:41 AM
  • Hi,

    1. On one client, we check whether we can download root CA CRL and sub CA CRL.
    We should download all of them.








    2. View the details (CRL Distribution Points and Authority Information Access)of the certificate on this machine. Check if the information is correct as on the CA.






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 19, 2019 10:14 AM
    Moderator
  • Dear Daisy,

    I've confirmed that one of the machine certificates on a computer which is experiencing problem is issued by my CA (there are some other certificates issued by the old environment, which we are in working to replace but is still used for Direct Access). I was able to download the CA listed in the certificate by copying the link from the certificate.

    I also browsed to http://FQDN/Certenroll and download them from there. 

    ______

    Update: I got my hand on another computer and it appears the certificates from the old CA (which is about to be decomissioned) is causing the problem. I drew this conclusion after deleting the personal machine certificates issued from the old CA and tried to reconnect. Since I use simple certificate selection I thought it would figure this out by itself. In the Group policy "Wireless Netowrk (IEEE 802.11) Policies->edit settings->Security tab->Properties->Trusted Root Certification Authorities. I've also used simple certificate selection. 

    Any thoughts? 

    Best regards

    Theodor


    • Edited by MrGiraff Wednesday, November 20, 2019 3:46 PM New info
    Wednesday, November 20, 2019 3:23 PM
  • Hi,
    I am so happy we find some related information. 

    On one problematic client, we can try to find one prolematic certificate and request new certificate from the new CA and replace the prolematic certificate by the new certificate.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by MrGiraff Friday, November 22, 2019 8:34 AM
    Thursday, November 21, 2019 6:27 AM
    Moderator
  • Hi again,

    Yes - I am happy :)

    So, I've identified the certificate and removed it from 'Certificate Templates' from the old CA. However, the certificate is still available on several machines in my organisation. Since I do not want to create a new certificate, only replace the certificate from the users which have been issued a certificate from the old CA, what is the best course of action? The 'Superseded Templates' is not the way to go here, right?

    Best regards

    Theodor

    Thursday, November 21, 2019 8:35 AM
  • Hi,
    I think the best way is we duplicate a certificate template on the new CA server and request a certificate using this certificate template on the promatic client. Then check if it helps.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 22, 2019 9:39 AM
    Moderator