?
Solved

RemoteApp - GoDaddy Revocation Checklist

Posted on 2011-02-24
14
Medium Priority
?
1,554 Views
Last Modified: 2012-06-27
I have a production terminal server running Server 2008 and publishing a few RemoteApps. The same system provides TS gateway,web access, network policy server, everything. The site is published through an ISA 2006 server. All publishing is performed with a GoDaddy certificate. I have verified that the certificate and it's intermediate root are published correctly.

Recently a few of my clients have been receiving "a revocation check could not be performed for the certificate". I'm not 100% sure but I believe the problem is restricted to Windows 7 clients. The CRL path in the certificate is http://crl.godaddy.com/gds1-18.crl. Uptrends.com doesn't indicate any connectivity problems with this path so I'm at a loss as to the cause of this problem. I'm really at a loss. How can I correct this?
0
Comment
Question by:timbrigham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 4

Expert Comment

by:Llacy80
ID: 34970647
Hi. Please go to Remote Desktop Session Host Configuration and right click on RDP-TCP under connections. Go to Properties, on the general tab at the bottom does the correct name of your certificate appear?

0
 
LVL 1

Author Comment

by:timbrigham
ID: 34970712
It does. I've also verified that the correct certificate is used in the ISA, IIS and RemoteApp digital signature pages.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 2000 total points
ID: 34970795
Ok. On that same setting that I mentioned earlier, I ended up having to click Default --> to set it to Auto Generated only on that configuration setting, all others pointed to third party cert. It worked for me and the revocation error dissappeared for my win 7 clients. Since it is a production server, you may make try it during off hours when no one is connected to it.

0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 1

Author Comment

by:timbrigham
ID: 34974129
Unfortunately that didn't do the trick. I actually locked myself out of the remoteapps entirely.
I'm going to try adding "enablecredsspsupport:i:0" to my options (per http://blog.wapnet.nl/2010/11/a-revocation-check-could-not-be-performed-for-the-certificate/) to see if it helps.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34974168
Ok. Let me know if it works. The information I provided above worked for me so perhaps our setup is a little different and that is why it did not work for you. it was worth a shot and I am sure you were able to change it right back to the third party certificate to access the remoteapps again. Let me do some searching around and see if there any other fixes for it.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 2000 total points
ID: 34974292
0
 
LVL 1

Author Comment

by:timbrigham
ID: 34980415
It looks like this problem may be related to Windows 7 SP 1 - http://forum.wegotserved.com/index.php/topic/17786-win7-sp1-rdp-certificate-error/.

I'm going to install on a test box and see if I can reproduce this error.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 34983478
I wasn't able to replicate this problem on my test box. I did however come across a hotfix from MS that looks like it may be of some use. http://support.microsoft.com/kb/2203302. There were a couple references to a hotfix as a potential solution for this problem. I believe this is the right one.

The GoDaddy certificate does use an intermediate certificate in the chain. I think at this point I'll wait to get onto one of the remote computers experiencing this issue and give this hotfix a go. If not I'm at a total loss. Thanks for your help Llacy80.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34983895
Hi. Were you able to verify that is indeed only an issue with Windows 7 clients? You posted in your original question that you were not 100% sure at that point if it was only affecting Win 7 clients.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 2000 total points
ID: 34983985
An additional link that might be of use...

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/12f2761b-457d-4b4d-b0de-8a0ebb4aaeec

See last post on that URL --

0
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35008905
Thanks again Llacy80.
This odd behavior began to expand beyond the Windows 7 clients to the point where 100% of the users coming in through TSWeb were failing at which time I rebooted. That seems to have cleared it up. Very odd - nothing in the logs or performance counters would have indicated this would have helped.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 35009318
That is odd...Well I am glad it is resolved and if it comes back let me know because I have some more ideas on the cause.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 35036835
For anyone that comes across this question - A few of my remote clients were still experiencing problems. Those systems turned out to need to have their dates and times adjusted. Those folks were in the Philippines and had the timezone set to US\Pacific but the date and time set to their local times. Since they are a day ahead and the CRL expires daily it wasn't possible for them to connect.
0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35045583
Final solution was a server reboot; all steps up to that point really good diagnostics.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question