Re: CRL Issues with Win2k3 Cert Svcs
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Wed, 9 Jan 2008 06:48:16 -0000
Hi
Check at security.cryto for this problem.
Check if the clients can reach the CDP without being prompted to credentials
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"techadmin" <BT.Techadmin@xxxxxxxxx> wrote in message news:dff455a1-4c8f-486d-a933-f019c9470435@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We use 802.1x authentication for all of our wireless clients. Recently
wireless authentication in our child domain only (not sure if that has
anything to do with the issue) stopped working.
The error message in the Event log on the (IAS) RADIUS server is
Reason-Code = 259
Reason = The revocation function was unable to check revocation
because the revocation server was offline.
The CA can be reached by short-name as well as FQDN even when the
above is logged.
I have inspected the CA which has two root certificates installed.
When I look at the CDPs (CRL Distribution Points) I see the standard
entries:
C:\windows\system32\certenroll
\<CaName><CRLNameSuffix><DeltaAllowed>.crl
Publish CRLs to this location is set.
Publish Delta CRLs to this location is set.
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
All Options Set
http://<ServerDNSName>/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
Include in CRLs. Clients use this to find Delta CRL Locations is
set.
Include in the CDP extension of issued certificates is set.
File://\\<ServerDNSName>/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
No options are set.
I have manually copied and installed (letting windows choose the right
store) the CRL downloaded from the CA to the server running IAS. This
did not address the issue.
Users requesting certificated from the CA get the message "
The certificate request failed because of one of the following
conditions:
- The certificate request was submitted to a Certificate Authority
(CA) that is not started (CA was verified running)
- You do not have permissions to request certificates from the
available CAs. (This was never an issue before - where can I verify
that permissions are correct here?)
I've also run CAutil and a "-cainfo" returns:
H:\>certutil -cainfo
Exit module count: 1
CA name: BoldTechCA1
Sanitized CA short name (DS name): BoldTechCA1
CA type: 0 -- Enterprise Root CA
ENUM_ENTERPRISE_ROOTCA -- 0
CA cert count: 2
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 3 -- Valid
CA cert[1]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert version[1]: 1 -- V1.0
CA cert verify status[0]: 0
CA cert verify status[1]: 0
CRL[0]: 3 -- Valid
CRL[1]: 1 -- Error: No CRL for this Cert -- Is this an issue? How can
I create a CRL for the second root certificate?
CRL Publish Status[0]: 0x45 (69)
CPF_BASE -- 1
CPF_COMPLETE -- 4
CPF_MANUAL -- 40 (64)
Delta CRL Publish Status[0]: 0x46 (70)
CPF_DELTA -- 2
CPF_COMPLETE -- 4
CPF_MANUAL -- 40 (64)
DNS Name: FS1.boldtech.internal
Advanced Server: 0
CertUtil: -CAInfo command completed successfully.
Thanks for you time you all!
.
- References:
- CRL Issues with Win2k3 Cert Svcs
- From: techadmin
- CRL Issues with Win2k3 Cert Svcs
- Prev by Date: Re: AD Users and Computers
- Next by Date: Set one Domain twp password length
- Previous by thread: CRL Issues with Win2k3 Cert Svcs
- Next by thread: Mail-enabled Global Security Groups not showing members in GAL
- Index(es):
Relevant Pages
|
