Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Testing CRLs

645 views

Skip to first unread message

Amihai Bareket

unread,

Jul 22, 2006, 4:32:03 AM7/22/06

We're working with Windows Server 2003 CA.

We had several issues were the CRL file that the CA published was unusable
for users (Smartcard Logon, ). CRL is published through HTTP (IIS).

The error message we get is -

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 9
The client has failed to validate the Domain Controller certificate for
my.domain. The following error was returned from the certificate validation
process: The revocation function was unable to check revocation because the
revocation server was offline.

The error message is not the issue here. Publishing a new CRL and rebooting
the DCs usually sorts the problem.

We want to create a script that will run automatically and tests the CRL
every time it's published by the CA before we transfer it to the IIS server.

Any ideas?

Thanks,

Amihai

Brian Komar

unread,

Jul 24, 2006, 8:24:18 AM7/24/06

In article <uz6UREWr...@TK2MSFTNGP02.phx.gbl>, amih...@hotmail.com says...

>
> Event ID: 9
> The client has failed to validate the Domain Controller certificate for
> my.domain. The following error was returned from the certificate validation
> process: The revocation function was unable to check revocation because the
> revocation server was offline.
>
>
>

This type of error is not typically due to a malformed CRL. This error message is typically
displayed when there are errors in the AIA or CDP extension of a certificate in the
certificate chain.
To troubleshoot, export a certificate (such as the domain controller certificate) to a file,
and then run "certutil -verify -urlfetch <dccert.cer> and post the output to the newsgroup.
This should show where the errors are.

Brian

0 new messages