Posted March 19, 201014 yr Hopefully your ca is inside your enterprise, you should probably take your root server offline and bring up an issuing ca as well. We just alias out the name of our internal server with an external site and make the path the exact same as the internal crl and it works for us. This really has nothing to do with AD, so I have cross posted with the security NewsGroup. You will probably get more details on this from someone over there. -- Paul Bergson MVP - Directory Services MCITP - Enterprise Administrator MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci 2008, Vista, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewGroups. This posting is provided "AS IS" with no warranties and confers no rights. "POB" wrote in message news:02A8902D-0622-4BB4-BB55-E4D4D1F58375@microsoft.com... > This problem was brought to my attention while attempting to implement > SSTP > VPN connections to a Windows Server 2008 R2 Server (it is also the root CA > and only CA in the forest). Users who attempt to connect receive the > following error: "Error 0x80092013: The revocation function was unable to > check revocation because the revocation server was offline." In response > the > error, I read Microsoft Article Article ID: 961880,and followed the steps > outlined in the article. > > I also scanned ADCS for best practices, and it returns the following > warning: "The certificate revocation list (CRL) distribution point > extension > on this certification authority (CA) includes URIs for a remote Web > server. > If the Web server is Internet Information Services (IIS) 7.0 with the > default > configuration, then delta CRL URIs that contain a plus sign (+) will be > blocked." It says to resolve the problem, ensure that the "allow double > escaping" check box is selected in the IIS Request Filtering settings. I > have confirmed that it is checked. > > What I have done so far: > 1. Delete the prior http location from the extensions tab of the CA > 2. Enter a new http location with the public IP e.g. > http://1.1.1.1/CertEnroll/.crl > 3. Checked the Include in CRL box, and the include in the CDP box > 4. Revoked the old SSL certificate, and re-issued a new one > 5. Re-bound the SSL certificate to 443 in IIS > 6. Associated the new certificate in RAS > 7. Ensured that "allow double escaping" was checked in IIS for the > certenroll site > > How do I resolve this problem? >
![Guest Paul Bergson [MVP-DS]](https://freepchelp.forum/static/resources/core_84c1e40ea0e759e3f1505eb1788ddf3c_default_photo.png)
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.