AzureAD CBA error AADSTS2205013: CRL Download not allowed

Question

AzureAD CBA error AADSTS2205013: CRL Download not allowed

Egor Emeliyanov 46

We are testing AzureAD certificate-based authentication and mostly it works flawlessly. However in about 1 case out of 20 on one of our tenants we're getting this error "AADSTS2205013: CRL Download not allowed" that I couldn't find any troubleshooting steps for this.

We're using managed CA from GCP and it publishes CRL in a Google storage account. I did a stress test to download CRL 1000 times and every attempt was successful. I left "delta CRL" setting blank as GCP doesn't provide it and strictly speaking it's even more optional than CRL.

Can anyone from Microsoft enlighten me what this error code refers to specifically? Thank you!

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-03-15T08:06:16.2666667+00:00

@Egor Emeliyanov Thank you for reaching out to us, let me check with my team internally on this error AADSTS2205013 and revert back with the findings.
39035473 0 Reputation points

2023-04-17T19:41:48.98+00:00

Ergor/Givary--We have the same problem. A few times a week (seemingly randomly), a user is stuck because of a 2205013 sign-in error. This is still happening as of yesterday (4/16/2023), so did the fix you planned for March get pushed out yet? The error code is certainly more specific now in the last couple of weeks at least (it used to come up as 50017, with many possible options). Please advise, thanks.
Egor Emeliyanov 46 Reputation points

2023-05-01T15:37:01.15+00:00

We're still seeing this error as of last week, so it's not just you -- this hasn't been completely fixed yet.

Accepted answer

2 additional answers

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-03-15T08:06:16.2666667+00:00

@Egor Emeliyanov Thank you for reaching out to us, let me check with my team internally on this error AADSTS2205013 and revert back with the findings.
39035473 0 Reputation points

2023-04-17T19:41:48.98+00:00

Ergor/Givary--We have the same problem. A few times a week (seemingly randomly), a user is stuck because of a 2205013 sign-in error. This is still happening as of yesterday (4/16/2023), so did the fix you planned for March get pushed out yet? The error code is certainly more specific now in the last couple of weeks at least (it used to come up as 50017, with many possible options). Please advise, thanks.
Egor Emeliyanov 46 Reputation points

2023-05-01T15:37:01.15+00:00

We're still seeing this error as of last week, so it's not just you -- this hasn't been completely fixed yet.

Answer 1

Givary-MSFT 35,626 Microsoft Employee Moderator

@Egor Emeliyanov Researched on your query - AADSTS2205013: CRL Download not allowed, also few other customers reported the similar issue in the month of feb, this was further investigated by our engineering team and the reason behind this error is CRL download not allowed - usually occurs when the CRL in system is expired and you are trying to download the fresh CRL during the authentication. We have a lock in place - when more than one user is trying to download the same CRL - Then we throw this exception.

Our team came up with a fix to mitigate this behavior, currently in a deployment phase, should be deployed to all our datacenters by end of next week.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Egor Emeliyanov 46 Reputation points

2023-03-16T03:02:19.22+00:00

Thank you very much, I confirmed this is the case with Azure support. I originally thought CRL refreshes happen on a 24-hr schedule independent of the sign-in process. Will look forward to a fix.
39035473 0 Reputation points

2023-04-17T19:38:07.2333333+00:00

I am facing the same issue. We use Ivanti Mobileiron for MDM and use their CRL for our CBA. We have 2 or 3 users per week that end up with Error 2205013 and we have to re-push their whole Exchange profile (w/new cert) to get around it. Has that fix been deployed yet or was it delayed? This is still happening to us periodically as of yesterday (4/16/2023), 2 users came across it. So did the fix you planned for March get pushed out yet? The error code is at least more specific now in the last couple of weeks at least (it used to come up as 50017, with many possible options). Please advise, thanks.

Answer 2

Florian Kaumanns 0

Givary -- For us the issue still persists (see attached screenshot). Please note that this a setup in my lab tenant and as such I am sure that there is only one person -me- authenticating, i.e. this issue described above should not be relevant in this case.

Are there any other recommendations or ideas on how this can be fixed. Or are you aware of issues in the backend?

Appreciate your help on this!

Screenshot 2023-05-15 at 12.58.52

Answer 3

Shaikh, Juned 0

We are still seeing this issue - has the fix been applied?

Share via

AzureAD CBA error AADSTS2205013: CRL Download not allowed

2 additional answers

Your answer