AD Certificate Services CRL Visible to Internet

This problem was brought to my attention while attempting to implement SSTP
VPN connections to a Windows Server 2008 R2 Server (it is also the root CA
and only CA in the forest). Users who attempt to connect receive the
following error: “Error 0x80092013: The revocation function was unable to
check revocation because the revocation server was offline.” In response the
error, I read Microsoft Article Article ID: 961880,and followed the steps
outlined in the article.

I also scanned ADCS for best practices, and it returns the following
warning: “The certificate revocation list (CRL) distribution point extension
on this certification authority (CA) includes URIs for a remote Web server.
If the Web server is Internet Information Services (IIS) 7.0 with the default
configuration, then delta CRL URIs that contain a plus sign (+) will be
blocked.” It says to resolve the problem, ensure that the “allow double
escaping" check box is selected in the IIS Request Filtering settings. I
have confirmed that it is checked.

What I have done so far:
1. Delete the prior http location from the extensions tab of the CA
2. Enter a new http location with the public IP e.g.
http://1.1.1.1/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
3. Checked the Include in CRL box, and the include in the CDP box
4. Revoked the old SSL certificate, and re-issued a new one
5. Re-bound the SSL certificate to 443 in IIS
6. Associated the new certificate in RAS
7. Ensured that “allow double escaping” was checked in IIS for the
certenroll site

How do I resolve this problem?

Hopefully your ca is inside your enterprise, you should probably take your
root server offline and bring up an issuing ca as well. We just alias out
the name of our internal server with an external site and make the path the
exact same as the internal crl and it works for us.

This really has nothing to do with AD, so I have cross posted with the
security NewsGroup. You will probably get more details on this from someone
over there.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"POB" <POB@community.nospam> wrote in message
news:02A8902D-0622-4BB4-BB55-E4D4D1F58375@microsoft.com...
> This problem was brought to my attention while attempting to implement
> SSTP
> VPN connections to a Windows Server 2008 R2 Server (it is also the root CA
> and only CA in the forest). Users who attempt to connect receive the
> following error: "Error 0x80092013: The revocation function was unable to
> check revocation because the revocation server was offline." In response
> the
> error, I read Microsoft Article Article ID: 961880,and followed the steps
> outlined in the article.
>
> I also scanned ADCS for best practices, and it returns the following
> warning: "The certificate revocation list (CRL) distribution point
> extension
> on this certification authority (CA) includes URIs for a remote Web
> server.
> If the Web server is Internet Information Services (IIS) 7.0 with the
> default
> configuration, then delta CRL URIs that contain a plus sign (+) will be
> blocked." It says to resolve the problem, ensure that the "allow double
> escaping" check box is selected in the IIS Request Filtering settings. I
> have confirmed that it is checked.
>
> What I have done so far:
> 1. Delete the prior http location from the extensions tab of the CA
> 2. Enter a new http location with the public IP e.g.
> http://1.1.1.1/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
> 3. Checked the Include in CRL box, and the include in the CDP box
> 4. Revoked the old SSL certificate, and re-issued a new one
> 5. Re-bound the SSL certificate to 443 in IIS
> 6. Associated the new certificate in RAS
> 7. Ensured that "allow double escaping" was checked in IIS for the
> certenroll site
>
> How do I resolve this problem?
>