Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 27, 2019 8:11 PM
Hello,
Environment:
Server: SSTP Server on MT router using certificate issued by the domain's CA
Client: Windows built-in SSTP VPN client (Windows 10 Pro 1809, not tested on 7/8) (Machine is same domain-joined, CA certificate is present in the machine's Trusted Root)
Problem: On VPN connect, Windows returns "The revocation function was unable to check revocation because the revocation server was offline error".
Domain's CA CDP and AIA are HTTP only, published online and accessible by the client.
certutil -v -verify -urlfetch vpn-server.cer shows the HTTP CDP and AIA, passes all checks successfully.
After enabling the CAPI2 log, I can see that Windows is trying the revocation check using an LDAP address, although it is not specified anywhere.
What am I missing? Why is certutil showing and using the correct HTTP endpoints, but CAPI2 uses LDAP?
All replies (6)
Wednesday, July 3, 2019 1:38 PM âś…Answered
The problem seems to be related to caching. Restarting the client machine on certificate change should fix it. More info here.
Friday, June 28, 2019 7:33 AM
Hi,
I would suggest you disable revocation check by registry.
Please refer to the link below:
http://palvelimet.net/disable-revocation-check-sstp-vpn/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Meanwhile, Please post it in Security forum for a better answer.
https://social.technet.microsoft.com/Forums/windows/en-US/home?forum=winserversecurity
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Friday, June 28, 2019 11:00 AM
Disabling the check works but it's not a long term solution.
My question is why is CAPI2 showing an ldap address, when the certificate contains only http endpoints. The certificate is issued by the domain's CA (no intermediate CAs). CA's cert has no CDP or AIA specified.
CRLs were republished after the certificate was issued.
Why is certutil working correct and CAPI2 not?
Monday, July 1, 2019 6:07 AM
Hi,
I know it is a workaround, but I am not a master of CA.
As a result, I suggest you ask experts in the security forum.
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, July 1, 2019 2:26 PM
Thanks, I've posted there as you suggested and I'll update this thread if there is a solution provided there.
Thursday, July 4, 2019 2:26 AM
Hi,
Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.
If there is anything else we can do for you, please feel free to post in the forum.
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]