Remove From My Forums

Certificate revocation list

Question
0

Sign in to vote

I have been asked to replicate our live App-V service in an isolated testing environment. Because it is literally a replica of the live service (right down to DNS names etc) it cannot be connected to the internet or to any live service.

When the App-V client attempts a publishing refresh against the secure (RTSPS port 322) App-V management server, the refresh fails, and an error message is returned "The Application Virtualization Client could not update publishing information from the server AppV-Server. The revocation function was unable to check revocation because the revocation server was offline. Error code: 4615186-24c0332a-80092013".

I assume that the problem is literally what it says i.e. the App-V client needs to connect to a revocation server, but can't as there is no internet connection. Is there any way of configuring the client to NOT check for certificate revocation? Is there any other work-around? I realise this is not a good thing to do for a live service, but this is a test and development service which needs to be identical (as close as possible) to the live service. Providing an internet connection is not an option as it simply won't be permitted.

The App-V server certificate was provided to me by an external CA. I don't think there is any problem with the certificate as such, as it works on the live service (which DOES have an internet connection).

Any assistance woule be much appreciated. Thanks.

Tuesday, January 3, 2012 1:57 PM

Answers

1

Sign in to vote
Thanks all for your responses. Unfortunately the proxy settings recommendations weren't an option for me as this is an isolated test service with NO internet connection possible, not even via a proxy.

In case anyone else has the same issue, here's what I did:

I "worked around" the problem by downloading the CRLs from the web locations specified in each of the certificates, saving them to a CD, and then importing them locally into each App-V related computer in my isolated App-V test environment.

Another option would have been to contact the external CA and ask them to issue new certificates configured with No CRL source, but the first option was easier for me.
- Edited by Mark Johnstone Friday, January 6, 2012 3:30 PM
- Marked as answer by Mark Johnstone Friday, January 6, 2012 3:33 PM
Friday, January 6, 2012 3:30 PM

All replies

1

Sign in to vote

Hello,

If googling for the error message the following suggestion are present;

http://blogs.technet.com/b/appv/archive/2010/03/09/troubleshooting-common-rtsps-issues-with-app-v.aspx

http://blogs.technet.com/b/appv/archive/2008/09/18/softgrid-app-v-client-receives-an-xxxxxx-xxxxxx2a-80092013-error-during-refresh.aspx

http://social.technet.microsoft.com/Forums/en-AU/appvbeta/thread/670de585-672a-468c-963b-9da0beb62f29
Nicke Källén | The Knack| Twitter: @Znackattack

Tuesday, January 3, 2012 2:05 PM
1

Sign in to vote
What server is the client attempting to connect to to obtain the CRL? If it's a private certificate then it might be an internal CRL.

See these articles:

How Certificate Revocation Works (Windows 7)
Certificate Status and Revocation Checking (Windows XP)

Twitter: @stealthpuppy | Blog: stealthpuppy.com

This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.
- Marked as answer by Mark Johnstone Friday, January 6, 2012 3:31 PM
- Unmarked as answer by Mark Johnstone Friday, January 6, 2012 3:33 PM
Tuesday, January 3, 2012 2:38 PM

Moderator
0

Sign in to vote

It's an external certificate, and the client is attempting to contact an external CRL.

Tuesday, January 3, 2012 2:57 PM
0

Sign in to vote
Hello,

See this link;

http://www.bhargavs.com/index.php/2009/07/11/exchange-2007-rollup-update-installation-hang-managed-code-services-do-not-start/

Based on this comment (cited from the forum-thread I posted above )

Conclusion

The softgrid client looks at internet explorer for proxy settings.

The softgrid client does not work with an automatic proxy configuration via proxy.pac

System wide proxy settings are used by the softgrid client if a proxy.pac file is used in internet explorer

Nicke Källén | The Knack| Twitter: @Znackattack
- Edited by znack Tuesday, January 3, 2012 3:04 PM
Tuesday, January 3, 2012 3:04 PM
1

Sign in to vote
Thanks all for your responses. Unfortunately the proxy settings recommendations weren't an option for me as this is an isolated test service with NO internet connection possible, not even via a proxy.

In case anyone else has the same issue, here's what I did:

I "worked around" the problem by downloading the CRLs from the web locations specified in each of the certificates, saving them to a CD, and then importing them locally into each App-V related computer in my isolated App-V test environment.

Another option would have been to contact the external CA and ask them to issue new certificates configured with No CRL source, but the first option was easier for me.
- Edited by Mark Johnstone Friday, January 6, 2012 3:30 PM
- Marked as answer by Mark Johnstone Friday, January 6, 2012 3:33 PM
Friday, January 6, 2012 3:30 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Certificate revocation list

Question

Answers

All replies