8

I have been trying to set up an SSTP VPN to my SBS 2011 server and have been battling certificate issues the whole way. I've been able to generate a new certificate for my external vpn address, import it into my client machine, and added my server as a Trusted Certification Authority. Now I get the error:

Error 0x80092013: The revocation function was unable to check revocation because the revocation server was offline.

When I checked the CRL distribution points on the certificate I saw that the only urls were to my internal address, so I added another one that points to my external address (leaving the original internal urls intact). I generated a new certificate, deleted the existing one from my client and imported the new one, and restarted RRAS and verified that SSTP was using my new certificate but I am still getting the same error.

When I view the details the certificate that I imported I see that the new external CDP appears in the list (something to the effect of http://mydomain.com/CertEnroll/MYSERVER-CA.crl) . When I put that into a web browser I get a message saying the CRL import was successful, which lets me know that the URL is accessible from the outside and is online.

I feel like this is the last stop between me and a secured VPN, what am I missing here?

mclark1129
  • 555
  • 1
  • 11
  • 28
  • I was able to disable the revocation check using the registry, but this is only a temporary solution to prove that my VPN connection will work. Now I as long as I can figure out this CRL problem I won't have to ask my users to modify their registries *shudder* :) – mclark1129 Sep 26 '11 at 05:49
  • Aside from flipping revocation checking off (don't leave it that way) what other changes or differences are there? For example perhaps the VPN session has to be setup in order for you to reach that CRL URL? Perhaps you are using HTTP Auth and there is an active session with the server which is not active for the CRL retrieving process? – Ram Sep 28 '11 at 20:59
  • I am able to download the standard CRL directly from the certificate and paste it into a browser. When I look in the Enterprise PKI snap-in in server management I do see several errors trying to download my delta CRL (MYSERVER-CA+.crl) I cannot access that URL from the browser, but the file itself DOES exist in the CertEnroll virtual directory. I'm not sure if there are some file permissions issues preventing it from being accessible from IIS. – mclark1129 Sep 29 '11 at 00:48
  • The errors, "Unable to Download" are even for my internal addresses (e.g. http://server/CertEnroll/MYSERVER-CA+.crl) I am able to access the regular CRL URL from my browser using the external address with no VPN connection required. – mclark1129 Sep 29 '11 at 00:50
  • As luck would have it, I kept researching the delta CRL issue and found that by default IIS doesn't allow double escaping (which means the + sign in the delta CRL name could not be resolved). Once I enabled it I the unable to download errors cleared up and I can now connect to my SSTP VPN with the revocation check enabled! http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx – mclark1129 Sep 29 '11 at 01:09

1 Answers1

6

The issue was that I was unable to access the Delta CRL file through IIS 7. This was due to '+' sign in the file name MYSERVER-CA+.crl. By default IIS 7 sets the property allowDoubleEscaping to False, and this must be enabled so that IIS can serve up this file.

In IIS7, I went into the Default Website, navigated to the CertEnroll virtual directory and enabled the property to the configuration editor. Below is a link to set this through a command line:

http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx

Once I did this my issue was finally resolved!

mclark1129
  • 555
  • 1
  • 11
  • 28