none
A revocation check could not be performed for the certificate

    Question

  • Hi guys,

    I've read through all the other threads on this issue but they're all slightly different to my issue, hopefully somebody can help me out as I'm stumped now!

    I've got a single Windows 2008 R2 Remote Desktop Services server setup with a standard single subject name Thawte SSL123 signed cert.  I've installed the cert on the RDS server, including the intermediate cert and root CA cert.  Most PCs can connect to the RDS server no problem, however a number of Windows 7 (strangely all Home edition so far) are getting the error "A revocation check could not be performed for the certificate." when they try to connect and are therefore not allowed to connect.  On some Windows XP machines users get "The connection has been terminated because an unexpected server authentication certificate was received from the remote computer.".

    I have tested both from computers on the domain and off the domain, and from inside the network and outside the network with similar random results.  The users who will be eventually using the RDS server will be outside the network on non-domain machines so deploying certs or CRLs to each of them is not an option.

    I read in another thread that I should export the cert to a .CER file, copy it to a PC and run certutil -f -verify -urlfetch against the file, below is the output from this command.  Note it is the same on both a PC that can and a PC that cannot connect to the RDS server.  I suspect the output is "normal" given that the .CER file will not contain the intermediate certs, whereas when a PC connects to the RDS server it should be handing the connecting PC the whole chain.  Note that I tried browsing to the CDP and was able to download the CRL no problem, when I browsed to the OCSP I was able to download a file though it seemed to just contain a few characters (I guess this is normal).

    Issuer:
        CN=Thawte DV SSL CA
        OU=Domain Validated SSL
        O=Thawte, Inc.
        C=US
    Subject:
        CN=rds.mydomain.tld
        OU=Domain Validated
        OU=Thawte SSL123 certificate
        OU=Go to https://www.thawte.com/repository/index.html
        O=rds.mydomain.tld
    Cert Serial Number: 542f62f602b33310c79de678d8be9bfe
    
    dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
    dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
    dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
    
    CertContext[0][0]: dwInfoStatus=4 dwErrorStatus=1000040
      Issuer: CN=Thawte DV SSL CA, OU=Domain Validated SSL, O="Thawte, Inc.", C=US
      NotBefore: 23/03/2012 01:00
      NotAfter: 24/03/2015 00:59
      Subject: CN=rds.mydomain.tld, OU=Domain Validated, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, O=rds.mydomain.tld
      Serial: 542f62f602b33310c79de678d8be9bfe
      7d 84 19 b4 63 c7 40 06 67 b8 7c 01 ea 47 d3 8f 6b 2d 39 db
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      OK "Base CRL (05cb)" Time: 1
        [0.0] http://svr-dv-crl.thawte.com/ThawteDV.crl
    
      ----------------  Certificate OCSP  ----------------
      Unsuccessful "OCSP" Time: 0
        [0.0] http://ocsp.thawte.com
    
      --------------------------------
      Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
      Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    
    Exclude leaf cert:
      da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
    Full chain:
      7d 84 19 b4 63 c7 40 06 67 b8 7c 01 ea 47 d3 8f 6b 2d 39 db
    Missing Issuer: CN=Thawte DV SSL CA, OU=Domain Validated SSL, O="Thawte, Inc.", C=US
      Issuer: CN=Thawte DV SSL CA, OU=Domain Validated SSL, O="Thawte, Inc.", C=US
      NotBefore: 23/03/2012 01:00
      NotAfter: 24/03/2015 00:59
      Subject: CN=rds.mydomain.tld, OU=Domain Validated, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, O=rds.mydomain.tld
      Serial: 542f62f602b33310c79de678d8be9bfe
      7d 84 19 b4 63 c7 40 06 67 b8 7c 01 ea 47 d3 8f 6b 2d 39 db
    A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486)
    ------------------------------------
    Incomplete certificate chain
    Cannot find certificate:
        CN=Thawte DV SSL CA, OU=Domain Validated SSL, O="Thawte, Inc.", C=US
    Cert is an End Entity certificate
    
    ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
    
    CertUtil: -verify command completed successfully.

    Below is the output of the same certutil command against the same .CER file from the RDS server itself -

    Issuer:
        CN=Thawte DV SSL CA
        OU=Domain Validated SSL
        O=Thawte, Inc.
        C=US
    Subject:
        CN=rds.mydomain.tld
        OU=Domain Validated
        OU=Thawte SSL123 certificate
        OU=Go to https://www.thawte.com/repository/index.html
        O=rds.mydomain.tld
    Cert Serial Number: 542f62f602b33310c79de678d8be9bfe
    
    dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
    dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
    dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    
    CertContext[0][0]: dwInfoStatus=104 dwErrorStatus=0
      Issuer: CN=Thawte DV SSL CA, OU=Domain Validated SSL, O="Thawte, Inc.", C=US
      NotBefore: 23/03/2012 01:00
      NotAfter: 24/03/2015 00:59
      Subject: CN=rds.mydomain.tld, OU=Domain Validated, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, O=rds.mydomain.tld
      Serial: 542f62f602b33310c79de678d8be9bfe
      7d 84 19 b4 63 c7 40 06 67 b8 7c 01 ea 47 d3 8f 6b 2d 39 db
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      Verified "Base CRL (05cc)" Time: 6
        [0.0] http://svr-dv-crl.thawte.com/ThawteDV.crl
    
      ----------------  Base CRL CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      Verified "OCSP" Time: 4
        [0.0] http://ocsp.thawte.com
    
      --------------------------------
        CRL (null):
        Issuer: CN=Thawte DV SSL OCSP Responder, O="Thawte, Inc.", C=US
        74 d7 94 14 9e 5d 70 88 bb 36 4e 69 8e da b7 20 3e 9e 44 a9
      Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
      Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    
    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      NotBefore: 18/02/2010 01:00
      NotAfter: 18/02/2020 00:59
      Subject: CN=Thawte DV SSL CA, OU=Domain Validated SSL, O="Thawte, Inc.", C=US
      Serial: 7610128a17b682bb3a1f9d1a9a35c092
      SubjectAltName: Directory Address:CN=VeriSignMPKI-2-11
      3c a9 58 f3 e7 d6 83 7e 1c 1a cf 8b 0f 6a 2e 6d 48 7d 67 62
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      Verified "Base CRL" Time: 4
        [0.0] http://crl.thawte.com/ThawtePCA.crl
    
      ----------------  Base CRL CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      Verified "OCSP" Time: 4
        [0.0] http://ocsp.thawte.com
    
      --------------------------------
        CRL (null):
        Issuer: CN=thawte Primary Root OCSP Responder, O="thawte, Inc.", C=US
        50 24 98 8d d6 ab db e5 77 2b 40 3f 89 d5 eb d9 f9 c5 6c f9
      Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
      Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
      Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
      Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
    
    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      NotBefore: 17/11/2006 01:00
      NotAfter: 17/07/2036 00:59
      Subject: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
      Serial: 344ed55720d5edec49f42fce37db2b6d
      91 c6 d6 ee 3e 8a c8 63 84 e5 48 c2 99 29 5c 75 6c 81 7b 81
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------
      Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
      Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
      Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
      Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
    
    Exclude leaf cert:
      7d ff 3c 13 7a 2e 83 00 81 ae 1e c6 bf cc b1 25 1c e8 30 4c
    Full chain:
      8f 82 94 3b e4 8d db 06 9d 9a e4 d8 8a 5d b1 a1 e1 a4 fd 41
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
        1.3.6.1.5.5.7.3.1 Server Authentication
        1.3.6.1.5.5.7.3.2 Client Authentication
    Cert is an End Entity certificate
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.
    


    Any help would be much appreciated!

    Tuesday, May 22, 2012 11:46 AM

Answers

All replies

  • Hi guys,

    Just done some further checking from a PC that is giving the revocation error.  When the error comes up and I click the "View Ceritifcate" button and go into "Certification Path" I only see the server cert with an exclamation mark on it, the intermediate and root certs are not showing.  Clicking on the cert shows "The issuer of this certificate could not be found.".  If I then install the Thawte DV SSL intermediate cert on the PC it connects fine.  However the PCs that can connect fine definitely do not have this Thawte DV SSL cert installed, so it's as though the RDS server is only sending the intermediate cert chain to certain PCs, is this possible?

    Interestingly if I install the intermediate cert into the "My User Account" cert store I then see a proper chain when I view the certifcation path of the cert, however RDP still will not connect and gives the revocation error.  However if I install the intermediate cert in the "Computer" cert store then the cert path appears correctly AND the revocation error goes away.  Very odd.

    Any help would be much appreciated!


    Thursday, May 24, 2012 8:42 AM
  • Hi,

    I suggest you ask in the security forum for the certificate issue:http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


    Thanks


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Thursday, May 24, 2012 9:30 AM
    Moderator
  • Have you installed this update for XP?  This also works on WES 2009.

    http://www.microsoft.com/en-us/download/details.aspx?id=29434

    Fixed certificate related issues for me.

    These Windows 7 Home Edition PC's people's home computers?  If they are, they really should get into the practice of going to Windows Update every month.

    If anything install the following update on these other troublesome computers.

    http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

    Don't know if these are the same file or not. In Vista and Windows 7 they're supposed to quietly fetech their root certificate updates.  In XP in Windows Update, it's listed as an optional update.
    • Edited by VgerNYC Thursday, May 24, 2012 3:15 PM
    Thursday, May 24, 2012 3:04 PM
  • Thanks guys, I've cross posted this.  VgerNYC I will get the updates applied to the machines and see what happens.  However I checked the Windows 7 Home PC and it did have the correct root cert installed.  The intermediate cert was missing, but this is normal and it is missing from all computers I've looked at.  Installing the intermediate cert gets the Windows 7 machine connecting, but as I say this shouldn't be needed and is not feasible in the use-case of this RDS server.

    Any more thoughts greatly appreciated!

    Thursday, May 24, 2012 5:37 PM
  • Hi guys,

    Just to let you know I cross posted this to http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/93c46c09-d674-41e7-96dc-484e2be595e6/ and fairly quickly got pointed to http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=40 which although discussing SSTP is also relevant to RDP connections apparently!  So the short answer is that although IIS can send the full chain of certs to a client, RDP/SSTP will only send the leaf (server) cert and no intermediate certs and hence you see these problems.  A rather inconvenient deficiency in RDS!

    Thursday, May 24, 2012 6:55 PM