locked
Disable CRL Check for Exchange Servers Without Internet Access RRS feed

  • Question

  • Greetings:

    Our Exchange 2010 SP2 Mailbox servers have no Internet access. We have noticed outbound hits on our firewall from the mailbox servers attempting to access crl.microsoft.com. The requests are happening every few seconds and are being denied by the firewall.

    I reviewed this TechNet blog post titled "Configuring Exchange Servers Without Internet Access"  (http://blogs.technet.com/b/exchange/archive/2010/05/14/3409948.aspx). The post says that the CRL checking can be disabled in a secure environment (where the internet access is turned off or is tightly controlled), however, the step details only talk about tuning the checks, not disabling them.

    Does anyone have any suggestions for disabling the CRL check and, in turn, the excessive denies on our firewall?

    Thanks,

    Reid

    Monday, February 4, 2013 9:01 PM

Answers

  • I was able to disable the CRL check for the mailbox servers by "unchecking" the IE option to "Check for publisher’s certificate revocation" for the Local System and Network Service accounts by modifying the key in the registry.

    The HKEY_USERS hive has some standard SIDs for built in accounts which are documented here: http://support.microsoft.com/kb/243330

    •SID: S-1-5-18
     Name: Local System
     Description: A service account that is used by the operating system.

    •SID: S-1-5-19
     Name: NT Authority
     Description: Local Service

    •SID: S-1-5-20
     Name: NT Authority
     Description: Network Service
     
    The keys that contain the DWORD "State" which was changed are located here:
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    Original Value (Enables CRL Checking): "State"=dword:00023c00
    New Value (Disables CRL Checking):  "State"=dword:00023e00

    We decided to go this route instead of the localhost option becasue it seemed to eliminate the process instead of directing the load onto IIS. Had we redirected these requests locally, IIS would be responding to these requests and working harder than it should.

    Thanks for your help.


    • Edited by Reid_G Wednesday, February 6, 2013 9:46 PM
    • Marked as answer by Reid_G Thursday, February 7, 2013 2:31 PM
    Wednesday, February 6, 2013 9:45 PM

All replies

  • I wonder if the IE config in this article will help you completly turn it iff?  Can you untick and then monitor firewall for any rrquests? -http://technet.microsoft.com/en-us/library/ee221147.aspx

    Sukh

    • Proposed as answer by ShawnPederson Thursday, January 9, 2014 4:09 PM
    Monday, February 4, 2013 9:24 PM
  • Hi

    You can add an entry to the hosts file on each server pointing crl.microsoft.com to 127.0.0.1.

    Cheers, Steve

    • Proposed as answer by Zi Feng Tuesday, February 5, 2013 8:20 AM
    Monday, February 4, 2013 9:25 PM
  • Thanks for the suggestion. I've used that option when installing Exchange Rollup packages. Unfortunately, that is a per user setting in IE. If I change it when I am logged in, it does not translate to Local System or Network Service that is running the Exchange accounts.
    Monday, February 4, 2013 10:22 PM
  • What about Steves option? Also dod you know what is triggering the crl check?

    Sukh

    Monday, February 4, 2013 10:30 PM
  • Steve's option looks viable but more of a workaround; however, we may have to accept that.

    Microsoft's Network Monitor shows the requests coming from MsFTEFD.exe and E14CmdletsWrapper.exe. MsFTEFD.exe appears to be an indexing process and not exactly sure about E14CmdletsWrapper.exe.

    Thanks for your help.

    Reid

    Monday, February 4, 2013 10:43 PM
  • Hi Reid

    Thanks for reply, Please Mark Steve's post as answer and finish this thread

    cheers


    Zi Feng
    TechNet Community Support

    Tuesday, February 5, 2013 8:20 AM
  • If you search through TechNet this is listed as a "fix" rather that a workaround :)

    If you have multiple servers and the hosts files don't have anything else in them, then this can be deployed/removed as a GPO preference providing a bit of centralised mangement.

    Cheers, Steve

    Tuesday, February 5, 2013 8:26 AM
  • I was able to disable the CRL check for the mailbox servers by "unchecking" the IE option to "Check for publisher’s certificate revocation" for the Local System and Network Service accounts by modifying the key in the registry.

    The HKEY_USERS hive has some standard SIDs for built in accounts which are documented here: http://support.microsoft.com/kb/243330

    •SID: S-1-5-18
     Name: Local System
     Description: A service account that is used by the operating system.

    •SID: S-1-5-19
     Name: NT Authority
     Description: Local Service

    •SID: S-1-5-20
     Name: NT Authority
     Description: Network Service
     
    The keys that contain the DWORD "State" which was changed are located here:
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    Original Value (Enables CRL Checking): "State"=dword:00023c00
    New Value (Disables CRL Checking):  "State"=dword:00023e00

    We decided to go this route instead of the localhost option becasue it seemed to eliminate the process instead of directing the load onto IIS. Had we redirected these requests locally, IIS would be responding to these requests and working harder than it should.

    Thanks for your help.


    • Edited by Reid_G Wednesday, February 6, 2013 9:46 PM
    • Marked as answer by Reid_G Thursday, February 7, 2013 2:31 PM
    Wednesday, February 6, 2013 9:45 PM