When we try to use certificates on computers that are not part of the domain, Windows complains that

The revocation function was unable to check revocation because the revocation server was offline.

However, if I manually open the certificate and check the CRL Distribution Point property, I see an ldap:/// URL and an http:// URL that points to externally-accessible IIS site that hosts the CRLs. Of course, the non-domain-joined client cannot access the ldap:/// URL, but it can download the CRL from the http:// link (at least in a browser).

I enabled CAPI logging and I see the event that corresponds to this failed revocation check. The RevocationInfo section is:

• RevocationInfo

  [ freshnessTime] PT11H27M4S

  • RevocationResult The revocation function was unable to check revocation because the revocation server was offline.
    [ value] 80092013
  • CertificateRevocationList
    [ location] UrlCache
    [ url] http://the correct URL
    [fileRef] 6E463C2583E17C63EF9EAC4EFBF2AEAFA04794EB.crl
    [issuerName] the name of the CA

Furthermore, I can see the HTTP request to the correct URL and the server's response (HTTP 304 Not Modified) with Microsoft Network Monitor.

I ran certutil -verify -urlfetch, and it seems to show the same thing: the computer recognizes both URLs, tries both, and even though the http:// link succeeds, returns the same error.

Is there a way to have non-domain-joined clients skip the ldap:/// link and only check the http:// one?

Edit:
The ldap:/// URL is

ldap:///CN=<name of CA>,CN=<name of server that is running the CA>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>?certificateRevocationList?base?objectClass=cRLDistributionPoint

The non-domain-joined clients may be on the domain network or on an external network. The http:// CDP is accessible from the public internet.