locked
Strange case of known error : 'An unknown error occurred while processing the certificate' in UAG that is only related to CRL distribution point (CDP) RRS feed

  • Question

  • Hello All,

    I want to share here a strange behavior of UAG, atleast to me, with you all guys.

    Issue: There is a backend exchange server that has a valid Verisign certificate. We want to publish OWA 2007 on UAG Portal. UAG machine can not reach to internet. We are getting 'An unknown error occurred while processing the certificate' when accessing OWA on client machine.

    We have verified that Verisign certificate is valid on backend Exchange Server and in UAG Trusted Authority and Intermidiate Trusted Root Authority have valid Verisign Root certificate. When accessing OWA from UAG's browser, we do not get any kind of certificate error. So I believe only thing remained is CRL checking from CDP. 

    In this case we all know that, if we disable registry settings of ValidateRwsCert  and ValidateRwsCertCRL to 0 in  HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL we can easily eliminiate  this error. For more information please read http://blogs.technet.com/b/edgeaccessblog/archive/2010/03/31/an-unknown-error-occurred-while-processing-the-certificate.aspx. But we could not simply diable the CRL check nor enable internet acceess on UAG. So, I opt to check in my test LAB.

    Test LAB scenario.

    In my test lab I did following.

    1)I moved .crl(Location C:\ file from Enterprise Root CA to another machine and published it under IIS.

    2) I created fresh URL(http) CRL distribution Point (CDP) that points to new machine where I put .crl file.

    3) Restarted CA services and issued a fresh certificate for OWA that only includes new URL path for CRL. I can see changes have taken place in certificate.

    3) Checked from browser(Not on UAG) by placing entire CDP URL path and I can download Certification Revocation List in browser. This means all is well.

    Now trouble begins...

    1) I turned off the machine where I put CRL so no one in the network, including UAG, can reach to CDP.

    2) I published OWA in UAG and I got the error 'An unknown error occurred while processing the certificate' in client machine, that was expected. So far behavior looks pretty normal.

    3) I turned ON the machine where I published CRL so all in network, including UAG, can reach to that machine and access CRL. I checked from 'UAG''s browser and I saw CRL file in the browser.

    4) I again turned off the CDP machine so no one, including UAG can each to it.  I browser if we put CRL URL, we get Page can not be Displayed. This means CRL point is not reachable.

    5) But to my surprise, I am not getting 'An unknown error occurred while processing the certificate' in client machine any more if I access OWA. I had restarted client machine, deleted cookies in browser, restarted UAG, activated UAG. Even I tried from Firefox and result was same.

    Practically, UAG is not able to reach CRL distribution Point nor UAG browser can download .CRL file this time, but still I am able to acces OWA without any certificate error. I tested in UAG RTM and in UAG with SP1. Result was same. Even I created the new trunk and published OWA 2007 but here too I did not got receive any error and OWA worked like a charm.

    Point to be noticed.: Initially UAG cannot reaching to CDP and throwing certificate error. But as soon as I had opened a Certificate Revocation list URL file in UAG's browser, this error message disappeared at all.

    I need your help to understand what's going behind the scene. How come the certificate error has gone in winds though UAg can not able to reach CRL point.

    Thank you all in advance.

    Ashu

     

     

     

    Thursday, March 31, 2011 6:57 PM

All replies

  • Hi Ashu

     

    I'm having the exact same problem !

    The back-end  Exchange CAS server has an Entrust Cert issued by external vendor (normal stuff)

    UAG and client machine both have cert chain installed correctly.

    UAG has full IP access to internal CA server plus has internet access via proxy. UAG can download CRL from CDP .

    I've tried the following registry changes aswell:

    Disable registry settings of ValidateRwsCert  and ValidateRwsCertCRL to 0 in  HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL

    and

    disable CRL checking with this: Set the StrongCRL value in the registry, under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\ key, add a new Oakley subkey, with a DWORD entry: StrongCRLCheck, and assign it a value of 0.

    plus checking the cert store

    http://support.microsoft.com/kb/822406

    Still nothing is resolving this issue.

    FYI:

    -------------------------------------------------------------------------------------------------------

    The portal config is as follows: (We publishing OWA 2007)

    *********************************

    Webservers tab under application settings for Outlook web access :

    address = mobile.mydomain.com  (have also tried host names and just IP address, FULL FQDN seems to be less problematic, we even used the same cert on the Exchange CAS server as the portal cert (it does contain a subject alternate name for mobile.mydomain.com) but this didn't help)

    Public host name = portal.mydomain.com

    **********************************

    Portal link tab under application settings for Outlook web access :

    Application URL: https://portal.mydoaminl.com/owa/

    -------------------------------------------------------------------------------------------------------

    Going to give this a try now

    http://support.microsoft.com/kb/2501777


    Wednesday, April 20, 2011 5:50 AM
  • Wednesday, April 20, 2011 6:41 AM
  • :) It's a good day!!!

    Turns out it had nothing to do with our internal CA. So normal logic is still relevant :)

    We had to set the UAG to bypass the proxy server it was using to get internet access when quering Entrust CDP for CRL.

    ran command on to both servers in array

    netsh  winhttp set proxy %proxy-ip%:%proxy-port% "(local);*.mydomain-to-bypass.com"



    • Edited by Riddler-man Friday, April 22, 2011 5:19 PM
    • Proposed as answer by Riddler-man Friday, April 22, 2011 5:21 PM
    Thursday, April 21, 2011 8:49 AM
  • I can't take full credit for this.

    If you looking for good MS consultants have a chat to the guys at www.bui.co.za

    BTW: Happy Easter everybody.

     

    Friday, April 22, 2011 5:18 PM