Certificate revocation check fails for non-domain guest in spite of accessible CRL
- by 0xFE
When we try to use certificates on computers that are not part of the domain, Windows complains that
The revocation function was unable to check revocation because the revocation server was offline.
However, if I manually open the certificate and check the CRL Distribution Point property, I see an ldap:/// URL and an http:// URL that points to externally-accessible IIS site that hosts the CRLs. Of course, the non-domain-joined client cannot access the ldap:/// URL, but it can download the CRL from the http:// link (at least in a browser).
I enabled CAPI logging and I see the event that corresponds to this failed revocation check. The
RevocationInfo section is:
RevocationInfo
[ freshnessTime] PT11H27M4S
RevocationResult The revocation function was unable to check revocation because the revocation server was offline.
[ value] 80092013
CertificateRevocationList
[ location] UrlCache
[ url] http://the correct URL
[fileRef] 6E463C2583E17C63EF9EAC4EFBF2AEAFA04794EB.crl
[issuerName] the name of the CA
Furthermore, I can see the HTTP request to the correct URL and the server's response (HTTP 304 Not Modified) with Microsoft Network Monitor.
I ran certutil -verify -urlfetch, and it seems to show the same thing: the computer recognizes both URLs, tries both, and even though the http:// link succeeds, returns the same error.
Is there a way to have non-domain-joined clients skip the ldap:/// link and only check the http:// one?
Edit:
The ldap:/// URL is
ldap:///CN=<name of CA>,CN=<name of server that is running the CA>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>?certificateRevocationList?base?objectClass=cRLDistributionPoint
The non-domain-joined clients may be on the domain network or on an external network. The http:// CDP is accessible from the public internet.
