Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1584
  • Last Modified:

RemoteApp - GoDaddy Revocation Checklist

I have a production terminal server running Server 2008 and publishing a few RemoteApps. The same system provides TS gateway,web access, network policy server, everything. The site is published through an ISA 2006 server. All publishing is performed with a GoDaddy certificate. I have verified that the certificate and it's intermediate root are published correctly.

Recently a few of my clients have been receiving "a revocation check could not be performed for the certificate". I'm not 100% sure but I believe the problem is restricted to Windows 7 clients. The CRL path in the certificate is http://crl.godaddy.com/gds1-18.crl. Uptrends.com doesn't indicate any connectivity problems with this path so I'm at a loss as to the cause of this problem. I'm really at a loss. How can I correct this?
0
timbrigham
Asked:
timbrigham
  • 7
  • 7
4 Solutions
 
Llacy80Commented:
Hi. Please go to Remote Desktop Session Host Configuration and right click on RDP-TCP under connections. Go to Properties, on the general tab at the bottom does the correct name of your certificate appear?

0
 
timbrighamAuthor Commented:
It does. I've also verified that the correct certificate is used in the ISA, IIS and RemoteApp digital signature pages.
0
 
Llacy80Commented:
Ok. On that same setting that I mentioned earlier, I ended up having to click Default --> to set it to Auto Generated only on that configuration setting, all others pointed to third party cert. It worked for me and the revocation error dissappeared for my win 7 clients. Since it is a production server, you may make try it during off hours when no one is connected to it.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
timbrighamAuthor Commented:
Unfortunately that didn't do the trick. I actually locked myself out of the remoteapps entirely.
I'm going to try adding "enablecredsspsupport:i:0" to my options (per http://blog.wapnet.nl/2010/11/a-revocation-check-could-not-be-performed-for-the-certificate/) to see if it helps.
0
 
Llacy80Commented:
Ok. Let me know if it works. The information I provided above worked for me so perhaps our setup is a little different and that is why it did not work for you. it was worth a shot and I am sure you were able to change it right back to the third party certificate to access the remoteapps again. Let me do some searching around and see if there any other fixes for it.
0
 
timbrighamAuthor Commented:
It looks like this problem may be related to Windows 7 SP 1 - http://forum.wegotserved.com/index.php/topic/17786-win7-sp1-rdp-certificate-error/.

I'm going to install on a test box and see if I can reproduce this error.
0
 
timbrighamAuthor Commented:
I wasn't able to replicate this problem on my test box. I did however come across a hotfix from MS that looks like it may be of some use. http://support.microsoft.com/kb/2203302. There were a couple references to a hotfix as a potential solution for this problem. I believe this is the right one.

The GoDaddy certificate does use an intermediate certificate in the chain. I think at this point I'll wait to get onto one of the remote computers experiencing this issue and give this hotfix a go. If not I'm at a total loss. Thanks for your help Llacy80.
0
 
Llacy80Commented:
Hi. Were you able to verify that is indeed only an issue with Windows 7 clients? You posted in your original question that you were not 100% sure at that point if it was only affecting Win 7 clients.
0
 
Llacy80Commented:
An additional link that might be of use...

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/12f2761b-457d-4b4d-b0de-8a0ebb4aaeec

See last post on that URL --

0
 
timbrighamAuthor Commented:
Thanks again Llacy80.
This odd behavior began to expand beyond the Windows 7 clients to the point where 100% of the users coming in through TSWeb were failing at which time I rebooted. That seems to have cleared it up. Very odd - nothing in the logs or performance counters would have indicated this would have helped.
0
 
Llacy80Commented:
That is odd...Well I am glad it is resolved and if it comes back let me know because I have some more ideas on the cause.
0
 
timbrighamAuthor Commented:
For anyone that comes across this question - A few of my remote clients were still experiencing problems. Those systems turned out to need to have their dates and times adjusted. Those folks were in the Philippines and had the timezone set to US\Pacific but the date and time set to their local times. Since they are a day ahead and the CRL expires daily it wasn't possible for them to connect.
0
 
timbrighamAuthor Commented:
Final solution was a server reboot; all steps up to that point really good diagnostics.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows PowershellĀ® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now