+ Reply to Thread
Results 1 to 3 of 3
  1. Senior Member Robbo777's Avatar
    Join Date
    Aug 2015
    Location
    UK
    Posts
    300
    #1

    Default VPN revocation error?

    I have managed to successfully configure a SSTP VPN connection on my internal client PC, but only through registry fixes. I keep getting this error relating to checking to see if the server has been revoked.......
    "The revocation function was unable to check revocation because the revocation server was offline."

    I've gone onto revoked certificates in my CA and clicked on publish and created a new CRL but the clients are not getting it or its not working somehow. Any idea as to how i can fix this?

    Update: I have noticed that on the certificates I’m using only LDAP is being used as a method of retrieving the CRL. I dont mind this anyway because i'm not interested in HTTP at the moment, i just dont know why the domain joined users and computers cannot find the CDP through LDAP?


    ldap:///CN=JEDI-CA,CN=Jedi,CN=CDP,CDP=Public Key Services,CN=Services,CN=Configuration,DC=starwars, DC=com?certificateRevocationList?base?objectClass= cRLDistributionPoint

    ^^^ That is the LDAP directory on the certificate
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Nov 2015
    Posts
    69

    Certifications
    MCSE Server Infrastructure, MCSA 2012, VCP5-DCV
    #2
    You've got all the elements of the answer there -

    your CRL is published to your AD, and accessible via LDAP to authenticated clients on your internal network.Your client is attempting a VPN connection, so currently is neither authenticated to AD or on your internal network.

    So you need a way for external clients to access your CRL before the VPN authenticates them. HTTP on an external website.
    Reply With Quote Quote  

  4. Senior Member Robbo777's Avatar
    Join Date
    Aug 2015
    Location
    UK
    Posts
    300
    #3
    Quote Originally Posted by BornToBeMild View Post
    You've got all the elements of the answer there -

    your CRL is published to your AD, and accessible via LDAP to authenticated clients on your internal network.Your client is attempting a VPN connection, so currently is neither authenticated to AD or on your internal network.

    So you need a way for external clients to access your CRL before the VPN authenticates them. HTTP on an external website.
    But i'm using a domain joined PC to use the VPN to start it with, so shouldn't it be able to access the CRL via LDAP plus i've created an additional add on extension for the CA for the CDP here
    extensions.jpg
    So wont the new certificates i'm creating have these addresses in it to! But it still hasn't worked?
    I really really REALLY need help with this because its driving me mad! I will actually pay someone to try and get me to understand this!!! I have had this working on the domain joined client machine when i told the registry not to check the CRL! Again, this is a domain joined machine that i'm trying this on so shouldn't it be able to query the LDAP server anyway, even if it isnt then why isn't the CDP on the certificate not working for the client, i have actually entered the URL into the clients machine and they're able to download the CRL manually...strange! There are no certificates on my hyper V client machine that i'm trying this on except for the root CA certificate.
    Last edited by Robbo777; 04-06-2016 at 12:01 AM.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks