O
Ohaya
Hi,
I have been trying to figure out a problem that I've been having, where
I have IIS with client authentication enabled, and it appears that CRL
checking is not occurring. I've been chasing this problem for a few
days now, and posted in various groups, with no results, but I'm kind of
getting the feeling from my testing that the problem may be related to
Active Directory.
Let me explain...
My configuration is as follows. I installed a set of 3 machines:
- MachineA: Windows Server configured as domain controller, with
Active Directory and IIS installed.
- MachineB: Windows Server. This machine is not on the MachineA domain,
but on a workgroup, MISNET, and has Certificate Server and IIS (to
service certificate requests) installed. Certificate Server is
configured as a Standalone CA. The name for MachineB is actually "CA",
i.e., I can get a certificate by pointing IE to http://CA/certsrv.
- MachineC: Windows 2000 Pro - this is my client machine. This machine
is also not on the MachineA domain, but is in workgroup MISNET.
I used the Certificate Server on MachineB to create a server certificate
for IIS on MachineA, and installed the server certificate plus the root
certificate for the Certificate Server, both on MachineA.
Using Certificate Server, I've created and installed several client
certificates on MachineC, and I can successfully connect from IE on
MachineC to the IIS Server on MachineA, with client authentication.
The problem that I'm having is that when I revoke a client certificate
using Certificate Server on MachineB, that client certificate still
works, even when I publish the CRL from MachineB, and even after I
reboot MachineA (lots of times!).
I've verified that I can get the CRL off of MachineB, running IE on
MachineA. I've also used MMC and Certmgr on MachineA, and verified that
the updated CRL is there (in Intermediate Certification
Authorities/ICA).
The CDP in the client certs point to http://ca/certenroll/ca.crl and
file://\\ca\certenroll\ca.crl.
But, no matter what I've done so far, I cannot get any certificate
revocations "to take".
I've been doing some thinking, and I keep wondering if this might be
because I have IIS and Active Directory running on the same machine
(MachineA)???
I'm wondering if, for some reason, IIS is checking a CRL that somehow
might be STORED IN Active Directory, INSTEAD of the CRL from the ICA?
That seems like the only possible explanation. What I'm thinking is
that since the Certificate Server is on a non-domain machine, I think
that it wouldn't have stored the CRL to Active Directory when I
published the CRL. Since the Certificate Server is not updating the CRL
in Active Directory, and if, for some reason(????) IIS is checking the
CRL in Active Directory, that would explain why revocations are not
taking effect.
As I indicated in some other posts, I've read through the CRL
"whitepaper", and that seems to indicate that IIS (or actually
CryptoAPI, I think) SHOULD be checking the ICA first, but that does not
seem to be happening for me.
I don't know if the configuration that I have, with IIS running on the
domain controller/machine with Active Directory, is an unusual
configuration, but I'm really stuck on this one, so I hope some of you
Active Directory gurus might help.
Aside from any thoughts about the above, some of the things I'd like to
be able to do (but don't know how) are:
1) Check/search in Active Directory to see if there is really a CRL
stored in there somewhere, and
2) Import/move my CRL into Active Directory manually, to see if that
gets the revocations to take hold.
Thanks and sorry for the long post, but I've been working at this
awhile, and like I said, I could really use the help, so I'm trying to
post as much info as possible.
Jim
I have been trying to figure out a problem that I've been having, where
I have IIS with client authentication enabled, and it appears that CRL
checking is not occurring. I've been chasing this problem for a few
days now, and posted in various groups, with no results, but I'm kind of
getting the feeling from my testing that the problem may be related to
Active Directory.
Let me explain...
My configuration is as follows. I installed a set of 3 machines:
- MachineA: Windows Server configured as domain controller, with
Active Directory and IIS installed.
- MachineB: Windows Server. This machine is not on the MachineA domain,
but on a workgroup, MISNET, and has Certificate Server and IIS (to
service certificate requests) installed. Certificate Server is
configured as a Standalone CA. The name for MachineB is actually "CA",
i.e., I can get a certificate by pointing IE to http://CA/certsrv.
- MachineC: Windows 2000 Pro - this is my client machine. This machine
is also not on the MachineA domain, but is in workgroup MISNET.
I used the Certificate Server on MachineB to create a server certificate
for IIS on MachineA, and installed the server certificate plus the root
certificate for the Certificate Server, both on MachineA.
Using Certificate Server, I've created and installed several client
certificates on MachineC, and I can successfully connect from IE on
MachineC to the IIS Server on MachineA, with client authentication.
The problem that I'm having is that when I revoke a client certificate
using Certificate Server on MachineB, that client certificate still
works, even when I publish the CRL from MachineB, and even after I
reboot MachineA (lots of times!).
I've verified that I can get the CRL off of MachineB, running IE on
MachineA. I've also used MMC and Certmgr on MachineA, and verified that
the updated CRL is there (in Intermediate Certification
Authorities/ICA).
The CDP in the client certs point to http://ca/certenroll/ca.crl and
file://\\ca\certenroll\ca.crl.
But, no matter what I've done so far, I cannot get any certificate
revocations "to take".
I've been doing some thinking, and I keep wondering if this might be
because I have IIS and Active Directory running on the same machine
(MachineA)???
I'm wondering if, for some reason, IIS is checking a CRL that somehow
might be STORED IN Active Directory, INSTEAD of the CRL from the ICA?
That seems like the only possible explanation. What I'm thinking is
that since the Certificate Server is on a non-domain machine, I think
that it wouldn't have stored the CRL to Active Directory when I
published the CRL. Since the Certificate Server is not updating the CRL
in Active Directory, and if, for some reason(????) IIS is checking the
CRL in Active Directory, that would explain why revocations are not
taking effect.
As I indicated in some other posts, I've read through the CRL
"whitepaper", and that seems to indicate that IIS (or actually
CryptoAPI, I think) SHOULD be checking the ICA first, but that does not
seem to be happening for me.
I don't know if the configuration that I have, with IIS running on the
domain controller/machine with Active Directory, is an unusual
configuration, but I'm really stuck on this one, so I hope some of you
Active Directory gurus might help.
Aside from any thoughts about the above, some of the things I'd like to
be able to do (but don't know how) are:
1) Check/search in Active Directory to see if there is really a CRL
stored in there somewhere, and
2) Import/move my CRL into Active Directory manually, to see if that
gets the revocations to take hold.
Thanks and sorry for the long post, but I've been working at this
awhile, and like I said, I could really use the help, so I'm trying to
post as much info as possible.
Jim