Some windows 10 clients does not download CRL from internal CA?

  • Thread starter Thread starter MrGiraff
  • Start date Start date
M

MrGiraff

Guest
Hi,



First off all - this is not my expertise so have patience with me please :) Also, if this post should be published in another sub-forum - please advise.

Background:


I have configured a wireless network (EAP-TLS) which requests access via a NPS server. The clients are granted access via a AD security group and a machine certificate, which is published from our internal CA. For the majority of the clients there is no issues, but for some (maybe one in 20 machine) there is an error on the NPS server with event ID 6273.


"Network Policy Server denied access to a user.


.....


Reason: The revocation function was unable to check revocation because the revocation server was offline.

"

What I've looked in to:



From the client i checked the cached CRL with 'certutil -urlcache CRL' - but the http entry I am looking for is missing. I used an ethernet cable to connect to our corporate network and browsed the site from Edge manually - with success. However, when I restarted the machine the entry was still not on the machine. I'm no PKI expert so perhaps you can enlight me what I am missing?


The https extension is:

http://FQDN/CertEnroll/FakeName Root CA 2016.crl



CRL publishing paramters is 3 days and 12 hours for delta.

Also, there is no LDAP extention - even though there is one on the published machine certificate:

ldap:///CN=FakeName%20Issuing%20CA%202016,CN=hostname,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=FakeDomain,DC=no?certificateRevocationList?base?objectClass=cRLDistributionPoint.


For http extension:

Checked - 'Include in CRLs. Clients use this to find Delta CRL locations.'

Checked - 'Include in the CDP extension of issued certificates.'

Not checked - 'Include in IDP extension of issued CRLs.'


for ldap extension:

Checked - 'Publish CRLs to this location.'

Checked - 'Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.'

Checked - 'Include in CRLs. Clients use this to find Delta CRL locations.'

Checked - 'Include in the CDP extension of issued certificates.'

Checked - 'Publish Delta CRLs to this location'.

Not checked - 'Include in IDP extension of issued CRLs.'



Looking forward to you kind guidance,

with regards

ITB

Continue reading...
 
Back
Top