troubleshooting Question
Remote Desktop Connection triggers "A revocation check could not be performed for the certificate" from systems not part of Active Directory Domain
bluemercury
asked on
asked on
At my firm, we have various remote workers who utilise a combination of L2TP/IPSec VPN and MS Remote Desktop Connection to connect directly to their workstation onsite. In the wake of the coronavirus implications, I am having to expand to our full (generally less technically minded) workforce very quickly, so want to get rid of a unhelpful error message on connecting.
Some quick facts:
1) I have a AD integrated Certificate Server, already correctly configured to issue certificates appropriate for use in the Remote Desktop setup
2) I have applied the appropriate settings through Group Policy to apply the Certificate Template, and also things like enforcing SSL, etc.
3) Connections are straight from the RDC client to the workstation, no brokers or anything like that.
4) Users connecting in from home are NOT part of the Active Directory Domain.
When a user tries to connect in, they get the following warning:
"A revocation check could not be performed for the certificate". If they ignore this, the connection is then successful.
On closer inspection of the Certificate being served up to the RDC, the CRL Distribution Point they are being served is based on LDAP. As they are not part of the AD Domain, my feeling is that this LDAP location is probably inaccessible due to a lack of valid authentication.
I'm aware I can change settings on the CA server properties, but I'm weary of doing this as I do not want to break our domain in any way. What would be ideal would be for someone to talk me through exactly what I can do to make an http based CRL Distribution point and set it as the priority served up to RDC clients when they try and connect from outside the domain, so they can check for Certificate Revocation without needing AD authentication.
Many thanks in advance :-)
Some quick facts:
1) I have a AD integrated Certificate Server, already correctly configured to issue certificates appropriate for use in the Remote Desktop setup
2) I have applied the appropriate settings through Group Policy to apply the Certificate Template, and also things like enforcing SSL, etc.
3) Connections are straight from the RDC client to the workstation, no brokers or anything like that.
4) Users connecting in from home are NOT part of the Active Directory Domain.
When a user tries to connect in, they get the following warning:
"A revocation check could not be performed for the certificate". If they ignore this, the connection is then successful.
On closer inspection of the Certificate being served up to the RDC, the CRL Distribution Point they are being served is based on LDAP. As they are not part of the AD Domain, my feeling is that this LDAP location is probably inaccessible due to a lack of valid authentication.
I'm aware I can change settings on the CA server properties, but I'm weary of doing this as I do not want to break our domain in any way. What would be ideal would be for someone to talk me through exactly what I can do to make an http based CRL Distribution point and set it as the priority served up to RDC clients when they try and connect from outside the domain, so they can check for Certificate Revocation without needing AD authentication.
Many thanks in advance :-)
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.