joedelapaz
asked on
PKI - Wireless Clients Unable to Logon due to unavailable revocation server
Hello Gurus,
I am having issues connecting my wireless laptops to the network.
This is the error message that I get on my IAS server:
User host/Laptop1.abc.com was denied access.
Fully-Qualified-User-Name = abc.com/Workstation Accounts/Secured Notebooks/Laptop1
NAS-IP-Address = x.x.x.x
NAS-Identifier = x.x.x.x
Called-Station-Identifier = A.B.C.D
Calling-Station-Identifier = A.B.C.D
Client-Friendly-Name = WIRELESS
Client-IP-Address = x.x.x.x
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = WIRELESS
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 259
Reason = The revocation function was unable to check revocation because the revocation server was offline.
I have restarted the IAS server and tested that I can get get to IASServer\certsrv. This works fine.
I installed this patch from Microsoft to resolve an schannel issue - WindowsServer2003-KB933430 -x86-ENU.e xe on the IAS server. This patch resolved the schannel issue but moved on to the error listed above.
Your assistance is greatly appreciated.
Thanks,
Joe
I am having issues connecting my wireless laptops to the network.
This is the error message that I get on my IAS server:
User host/Laptop1.abc.com was denied access.
Fully-Qualified-User-Name = abc.com/Workstation Accounts/Secured Notebooks/Laptop1
NAS-IP-Address = x.x.x.x
NAS-Identifier = x.x.x.x
Called-Station-Identifier = A.B.C.D
Calling-Station-Identifier
Client-Friendly-Name = WIRELESS
Client-IP-Address = x.x.x.x
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = WIRELESS
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 259
Reason = The revocation function was unable to check revocation because the revocation server was offline.
I have restarted the IAS server and tested that I can get get to IASServer\certsrv. This works fine.
I installed this patch from Microsoft to resolve an schannel issue - WindowsServer2003-KB933430
Your assistance is greatly appreciated.
Thanks,
Joe
So has a crl been published to the device thats checking for revoked certs? When you say you have tested it, how did yoi test? Whats the dste on the crl server?
What happens when you disable crl checking? Can clients login then?
Steve
What happens when you disable crl checking? Can clients login then?
Steve
ASKER
Hi Steve,
Certificate Services is not my strong suit. However, this is what I've got so far.
I have tested that I can get to CertServer\certsrv and manually download certificates and crls.
The Issuing CA certificate does not expire until 2016.
The next update on the CRL is this Thur Sept 15, 2011
Time on the CRL server is synced successfully with AD.
I tried disabling CRL checking on the CertServer using - http://technet.microsoft.com/en-us/library/cc775782(WS.10).aspx and trying to update the MD_CERT_NO_REVOC_CHECK value.
However, I got this warning message instead.
The property (MD_CERT_NO_REVOC_CHECK) is not valid for the class it has been associated with. This property will be ignored. Incorrect XML:MD_CERT_NO_REVOC_CHECK
ErrorCode : 0x80210523
Interceptor : 14
OperationType : Populate
Table : MBProperty
ConfigurationSource : C:\WINDOWS\system32\inetsr v\EditWhil eRunning_M etabase.xm l
MajorVersion : 274
I can download the crl manually onto the laptop without any issues.
Certificate Services is not my strong suit. However, this is what I've got so far.
I have tested that I can get to CertServer\certsrv and manually download certificates and crls.
The Issuing CA certificate does not expire until 2016.
The next update on the CRL is this Thur Sept 15, 2011
Time on the CRL server is synced successfully with AD.
I tried disabling CRL checking on the CertServer using - http://technet.microsoft.com/en-us/library/cc775782(WS.10).aspx and trying to update the MD_CERT_NO_REVOC_CHECK value.
However, I got this warning message instead.
The property (MD_CERT_NO_REVOC_CHECK) is not valid for the class it has been associated with. This property will be ignored. Incorrect XML:MD_CERT_NO_REVOC_CHECK
ErrorCode : 0x80210523
Interceptor : 14
OperationType : Populate
Table : MBProperty
ConfigurationSource : C:\WINDOWS\system32\inetsr
MajorVersion : 274
I can download the crl manually onto the laptop without any issues.
Well, if nobody can log in it usually means the cache period has expired on the crl and the crl/ca cant be reached. Thats the default behavior. Is the server you are checking the crl at dual homed? Like the crl can be reached from one nic but not the other?
Steve
Steve
ASKER
Hi Steve,
It's got a dual nic that uses HP Nic teaming.
But no, the crl is reachable from either nic.
Cheers,
Joe
It's got a dual nic that uses HP Nic teaming.
But no, the crl is reachable from either nic.
Cheers,
Joe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ended up rebuilding the PKI environment in order to get this back up and running. Root cause unknown.
ASKER
I have restarted the IAS server and the Certificate servers and tested that I can get get to CertServer\certsrv. This works fine. I can download certs and crls from this location and install it. I don't know why it thinks that the revocation server is down.