Solved

RemoteApp - GoDaddy Revocation Checklist

Posted on 2011-02-24
14
1,496 Views
Last Modified: 2012-06-27
I have a production terminal server running Server 2008 and publishing a few RemoteApps. The same system provides TS gateway,web access, network policy server, everything. The site is published through an ISA 2006 server. All publishing is performed with a GoDaddy certificate. I have verified that the certificate and it's intermediate root are published correctly.

Recently a few of my clients have been receiving "a revocation check could not be performed for the certificate". I'm not 100% sure but I believe the problem is restricted to Windows 7 clients. The CRL path in the certificate is http://crl.godaddy.com/gds1-18.crl. Uptrends.com doesn't indicate any connectivity problems with this path so I'm at a loss as to the cause of this problem. I'm really at a loss. How can I correct this?
0
Comment
Question by:timbrigham
  • 7
  • 7
14 Comments
 
LVL 4

Expert Comment

by:Llacy80
ID: 34970647
Hi. Please go to Remote Desktop Session Host Configuration and right click on RDP-TCP under connections. Go to Properties, on the general tab at the bottom does the correct name of your certificate appear?

0
 
LVL 1

Author Comment

by:timbrigham
ID: 34970712
It does. I've also verified that the correct certificate is used in the ISA, IIS and RemoteApp digital signature pages.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 500 total points
ID: 34970795
Ok. On that same setting that I mentioned earlier, I ended up having to click Default --> to set it to Auto Generated only on that configuration setting, all others pointed to third party cert. It worked for me and the revocation error dissappeared for my win 7 clients. Since it is a production server, you may make try it during off hours when no one is connected to it.

0
 
LVL 1

Author Comment

by:timbrigham
ID: 34974129
Unfortunately that didn't do the trick. I actually locked myself out of the remoteapps entirely.
I'm going to try adding "enablecredsspsupport:i:0" to my options (per http://blog.wapnet.nl/2010/11/a-revocation-check-could-not-be-performed-for-the-certificate/) to see if it helps.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34974168
Ok. Let me know if it works. The information I provided above worked for me so perhaps our setup is a little different and that is why it did not work for you. it was worth a shot and I am sure you were able to change it right back to the third party certificate to access the remoteapps again. Let me do some searching around and see if there any other fixes for it.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 500 total points
ID: 34974292
0
 
LVL 1

Author Comment

by:timbrigham
ID: 34980415
It looks like this problem may be related to Windows 7 SP 1 - http://forum.wegotserved.com/index.php/topic/17786-win7-sp1-rdp-certificate-error/.

I'm going to install on a test box and see if I can reproduce this error.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 1

Author Comment

by:timbrigham
ID: 34983478
I wasn't able to replicate this problem on my test box. I did however come across a hotfix from MS that looks like it may be of some use. http://support.microsoft.com/kb/2203302. There were a couple references to a hotfix as a potential solution for this problem. I believe this is the right one.

The GoDaddy certificate does use an intermediate certificate in the chain. I think at this point I'll wait to get onto one of the remote computers experiencing this issue and give this hotfix a go. If not I'm at a total loss. Thanks for your help Llacy80.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34983895
Hi. Were you able to verify that is indeed only an issue with Windows 7 clients? You posted in your original question that you were not 100% sure at that point if it was only affecting Win 7 clients.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 500 total points
ID: 34983985
An additional link that might be of use...

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/12f2761b-457d-4b4d-b0de-8a0ebb4aaeec

See last post on that URL --

0
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35008905
Thanks again Llacy80.
This odd behavior began to expand beyond the Windows 7 clients to the point where 100% of the users coming in through TSWeb were failing at which time I rebooted. That seems to have cleared it up. Very odd - nothing in the logs or performance counters would have indicated this would have helped.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 35009318
That is odd...Well I am glad it is resolved and if it comes back let me know because I have some more ideas on the cause.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 35036835
For anyone that comes across this question - A few of my remote clients were still experiencing problems. Those systems turned out to need to have their dates and times adjusted. Those folks were in the Philippines and had the timezone set to US\Pacific but the date and time set to their local times. Since they are a day ahead and the CRL expires daily it wasn't possible for them to connect.
0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35045583
Final solution was a server reboot; all steps up to that point really good diagnostics.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now