Solved

RemoteApp - GoDaddy Revocation Checklist

Posted on 2011-02-24
14
1,516 Views
Last Modified: 2012-06-27
I have a production terminal server running Server 2008 and publishing a few RemoteApps. The same system provides TS gateway,web access, network policy server, everything. The site is published through an ISA 2006 server. All publishing is performed with a GoDaddy certificate. I have verified that the certificate and it's intermediate root are published correctly.

Recently a few of my clients have been receiving "a revocation check could not be performed for the certificate". I'm not 100% sure but I believe the problem is restricted to Windows 7 clients. The CRL path in the certificate is http://crl.godaddy.com/gds1-18.crl. Uptrends.com doesn't indicate any connectivity problems with this path so I'm at a loss as to the cause of this problem. I'm really at a loss. How can I correct this?
0
Comment
Question by:timbrigham
  • 7
  • 7
14 Comments
 
LVL 4

Expert Comment

by:Llacy80
ID: 34970647
Hi. Please go to Remote Desktop Session Host Configuration and right click on RDP-TCP under connections. Go to Properties, on the general tab at the bottom does the correct name of your certificate appear?

0
 
LVL 1

Author Comment

by:timbrigham
ID: 34970712
It does. I've also verified that the correct certificate is used in the ISA, IIS and RemoteApp digital signature pages.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 500 total points
ID: 34970795
Ok. On that same setting that I mentioned earlier, I ended up having to click Default --> to set it to Auto Generated only on that configuration setting, all others pointed to third party cert. It worked for me and the revocation error dissappeared for my win 7 clients. Since it is a production server, you may make try it during off hours when no one is connected to it.

0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 1

Author Comment

by:timbrigham
ID: 34974129
Unfortunately that didn't do the trick. I actually locked myself out of the remoteapps entirely.
I'm going to try adding "enablecredsspsupport:i:0" to my options (per http://blog.wapnet.nl/2010/11/a-revocation-check-could-not-be-performed-for-the-certificate/) to see if it helps.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34974168
Ok. Let me know if it works. The information I provided above worked for me so perhaps our setup is a little different and that is why it did not work for you. it was worth a shot and I am sure you were able to change it right back to the third party certificate to access the remoteapps again. Let me do some searching around and see if there any other fixes for it.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 500 total points
ID: 34974292
0
 
LVL 1

Author Comment

by:timbrigham
ID: 34980415
It looks like this problem may be related to Windows 7 SP 1 - http://forum.wegotserved.com/index.php/topic/17786-win7-sp1-rdp-certificate-error/.

I'm going to install on a test box and see if I can reproduce this error.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 34983478
I wasn't able to replicate this problem on my test box. I did however come across a hotfix from MS that looks like it may be of some use. http://support.microsoft.com/kb/2203302. There were a couple references to a hotfix as a potential solution for this problem. I believe this is the right one.

The GoDaddy certificate does use an intermediate certificate in the chain. I think at this point I'll wait to get onto one of the remote computers experiencing this issue and give this hotfix a go. If not I'm at a total loss. Thanks for your help Llacy80.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34983895
Hi. Were you able to verify that is indeed only an issue with Windows 7 clients? You posted in your original question that you were not 100% sure at that point if it was only affecting Win 7 clients.
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 500 total points
ID: 34983985
An additional link that might be of use...

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/12f2761b-457d-4b4d-b0de-8a0ebb4aaeec

See last post on that URL --

0
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35008905
Thanks again Llacy80.
This odd behavior began to expand beyond the Windows 7 clients to the point where 100% of the users coming in through TSWeb were failing at which time I rebooted. That seems to have cleared it up. Very odd - nothing in the logs or performance counters would have indicated this would have helped.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 35009318
That is odd...Well I am glad it is resolved and if it comes back let me know because I have some more ideas on the cause.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 35036835
For anyone that comes across this question - A few of my remote clients were still experiencing problems. Those systems turned out to need to have their dates and times adjusted. Those folks were in the Philippines and had the timezone set to US\Pacific but the date and time set to their local times. Since they are a day ahead and the CRL expires daily it wasn't possible for them to connect.
0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35045583
Final solution was a server reboot; all steps up to that point really good diagnostics.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question