locked
Mutual TLS (Domain Secure Enabled) fails with Event 11020 "Revocation Offline" RRS feed

  • Question

  • I have two separate domains, each with their own exchange 2010 server and Enterprise CA running on Server 2008 R2.  There is no domain trust, and e-mail is routed with MX records.  I am unable to get e-mail to flow either direction when I enable Mutual TLS, but works fine with Mutual Auth Disabled.

    The Event log shows MSExchangeTransport Error 11020 on both exchange servers : "A secure connection to domain-secured domain * on connector * could not be established because the validation of the Transport Layer Security (TLS) certificate for * failed with status 'RevocationOffline..."

    I've verified that:

    • Receive Connectors have DomainSecureEnabled to True
    • Send Connectors have DomainSecureEnabled to True
    • Transport Configs have the remote domain in the TLSSendDomainSecureEnabled and Receive lists
    • Certificate is valid for server and client authentication (Actually valid for Any Purpose)
    • Certificate is binded for IIS and SMTP
    • Remote CA is in Local Computer Store, (I can navigate to the IIS page with https and it's trusted)
    • CDP and AIA extensions in the certificates have the correct link to the CRL.  (I've tried certs with LDAP, LDAP and HTTP, and only HTTP)
    • CRL is accessible if I manually go to the link from the Certificate in IE.
    • DNS resolution is successful.
    • Certificates were created outside of exchange and imported.   I need to be able to export the private key, so I created a new template.

    Taking traces with Wireshark, what I see is Mutual Auth requested, the Exchange Servers exchange certificates, but then immediately close the connection.  There is no attempt to download the CRL.  Occasionally, I'll see a little bit of LDAP traffic, not sure if it's trying to access the CRL that way, but I've tried with only HTTP CDP and AIA extensions - still says Revocation Offline without trying to downlaod the CRL.

    I've tried manually installing the remote CRL, and it shows up in the store when I run "Certutil -verifystore CA".

    Also, I've setup the same lab setup with 2003 Servers and Exchange 2007, and it worked fine.  This is a lab setup for testing and testing Mutual TLS is a requirement.

    Any ideas?

    Thursday, September 1, 2011 3:07 PM

Answers

  • FOLLOW UP:

    I've fixed the issue.  The Certificate "Revocation Offline" was a misleading error message it seems.

    I had removed all LDAP CRL and AIA distribution points from the certificates and left only HTTP ones, but I was still seeing no HTTP traffic.  Occasionally, I'd see some LDAP traffic and couldn't figure out why.  I ended up adding a Two-way Forest Domain Trust, then that LDAP traffic started succeeding.  The client Exchange Server then fetched a Kerberos Ticket from the other Exchange Server, and then ran some more LDAP traffic.  After that, THEN the client Exchange Server fetched the CRL via HTTP as expected.

    Every connection, the Exchange servers are getting Kerberos tickets.  It appears to use Kerberos somewhere in the SMTP traffic auth, but the new Wireshark isn't playing nice with Decrypting my SSL traffic, so I can't confirm that.

    This did not happen in Exchange 2007.  I don't know why the behavior is different, a domain trust was not required in my Exchange 2007 setup.  I haven't had time to investigate anything with the SMTP auth.

    TL;DR:  Added a Forest Domain Trust and all is well.

    • Marked as answer by LeeSouza Thursday, September 8, 2011 2:07 AM
    Thursday, September 8, 2011 2:07 AM

All replies

  • Hello,

    please check via "pkiview.msc" if there are any errors on your CA with your CRLs.

    Greetings,

    Toni

    Friday, September 2, 2011 6:26 AM
  • I'm working with 'LeeSouza' on this.

    I checked the certs and CRLs with 'pkiview.msc' and there are no errors.

    Other ideas?

    Friday, September 2, 2011 7:49 PM
  • Hi,

    This error will get generate when Exchange 2007 Transport Server is unable to contact Certificate Authority of other Org.

    Ensure Exchange 2007 Transport Server can connect to the Internet on port 80. If you have Proxy Server then use Proxycfg.exe to configure proxy server.

    Also try to browse HTTP URL given in "CRL Distribution Points" of Chain Certifcate from Exchange server.

    We can also use Certutil.exe to test: "Certutil -verify c:\CertificateName.cer" certificateName.cer is Chain Certificate which you can dump as .cer file.


    • Edited by Gen Lin Monday, September 5, 2011 3:45 AM
    Monday, September 5, 2011 3:44 AM
  • FOLLOW UP:

    I've fixed the issue.  The Certificate "Revocation Offline" was a misleading error message it seems.

    I had removed all LDAP CRL and AIA distribution points from the certificates and left only HTTP ones, but I was still seeing no HTTP traffic.  Occasionally, I'd see some LDAP traffic and couldn't figure out why.  I ended up adding a Two-way Forest Domain Trust, then that LDAP traffic started succeeding.  The client Exchange Server then fetched a Kerberos Ticket from the other Exchange Server, and then ran some more LDAP traffic.  After that, THEN the client Exchange Server fetched the CRL via HTTP as expected.

    Every connection, the Exchange servers are getting Kerberos tickets.  It appears to use Kerberos somewhere in the SMTP traffic auth, but the new Wireshark isn't playing nice with Decrypting my SSL traffic, so I can't confirm that.

    This did not happen in Exchange 2007.  I don't know why the behavior is different, a domain trust was not required in my Exchange 2007 setup.  I haven't had time to investigate anything with the SMTP auth.

    TL;DR:  Added a Forest Domain Trust and all is well.

    • Marked as answer by LeeSouza Thursday, September 8, 2011 2:07 AM
    Thursday, September 8, 2011 2:07 AM