none
Turn off revocation checking for untrusted domain clients? RRS feed

  • Question

  • Is this possible?

    I have a cert that won't install because the following command attempts to get the CRL of the certificate issued in the thumbprint switch section

    setdpmserver –dpmCredential c:\DPM\CertificateConfiguration_some-server-here.bin -OutputFilePath c:\DPM -Thumbprint  somethumbprinthere

    Is there a switch to turn off revocation checking?

    Monday, March 9, 2015 1:24 AM

Answers

  • Solved it by importing the CRL locally. I can attach the agent to DPM now
    • Marked as answer by NZ_Kiwi Thursday, March 12, 2015 11:17 PM
    Thursday, March 12, 2015 11:17 PM

All replies

  • Hi,

    I cannot find a way to disable revocation checking but there is an article for output a certificate from DPM server and install it to untrusted client. Please see if it could help.

    The steps are very long with many pictures. Please jut let us know if there is anything unclear. 

    How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager

    http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 9, 2015 9:44 AM
    Moderator
  • Hi Again,

    Yes that is the article I'm attempting to follow. However according to technet:

    https://technet.microsoft.com/en-us/library/hh757942.aspx

    "The revocation servers of the associated Certificate Authorities are online and accessible by both the protected server and DPM server."

    This implies, that our internal CA publishes it's CRL list to a website rather than using standard ldap checking. I would have to reconfigure our entire CA just to get this setup to work.

    Surely there must be a way to protect a workgroup computer without CRL checking? We don't need certs for the primary server. Why it is required for the secondary is beyond me.

    Tuesday, March 10, 2015 7:34 PM
  • Solved it by importing the CRL locally. I can attach the agent to DPM now
    • Marked as answer by NZ_Kiwi Thursday, March 12, 2015 11:17 PM
    Thursday, March 12, 2015 11:17 PM