Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,613 questions
The revocation function was unable to check revocation because the revocation server was offline on application hosted on IIS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 28.000000000000004%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Adrian Adamiak
15
Reputation points Microsoft Vendor
I have a very specific issue with my application. Currently, I host the .net core web service on the IIS on the machine installed in the domain. We use Windows Server 2019. The application connects to the service from our domain but the connection is checked and available. The firewall rules were set to enable it. The service has enabled revocation chain validation for the SSL domain certificate of the given service. I added additional tracing to my app and I see that it fails for each certificate in the chain with the error "The revocation function was unable to check revocation because the revocation server was offline". I checked the OCSP and CLR URLs with telnet and they are accessible by the given user. My service is installed on the application pool authorized by the identity from the domain. The user is not added to the machine administrators but its added to the groups:
- Certificate Service DCOM Access (added for testing but didn't help)
- Cryptographic Operators
- IIS_IUSRS
I see that the root certificate is installed in the LocalComputer/Trusted Root Certification Authorities and the intermediate certificate is installed in the LocalComputer\Intermediate Certification Authorities. The domain certificate contains the OCSP and CLR URLs. Both are accessible to the user. The intermediate certificate contains the same CLR URL. I used certutil to test CLR validation and it works correctly. (Logged in powershell as the given user)
certutil -URL "url"
certutl -verify "ssl.cer"
I used the OpenSSL ocsp tool to test OCSP validation and it passed with OCSP Response Status: successful.
(https://akshayranganath.github.io/OCSP-Validation-With-Openssl/)
I thought it could be the SSL version limitations but the OCSP and CLR use the unencrypted HTTP protocol, What is important when I check the disk cache with
certutil -v -urlcache
I don't see the cache for the given clrs in the location C:\Users{user}\AppData\LocalLow\Microsoft\CryptnetUrlCache. Although when I retrieve CLR with the command
certutil -URL "url"
the cache entry is created and the service can validate the certificate revocation for some time. When I restart the IIS service, the error disappears too but after some time (about 3 hours) I can see the error again. What is important, on different machines it works. Only the difference is that the user is added to the administrators. I can't find any documentation on whether it's required and my preference is to not give admin privileges to IIS users.
What I noticed additionally, when I run PowerShell session as the given user, the problem disappears for 3 hours. After that time, it shows again.
I tried to add permissions to the shared disk cache with no result
read for - C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\
write for C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache
Do you have any suggestions what could be the potential issues? I checked event logs and there is no evidence of the specific issue.
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 80%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Johan Hafvenström 0 Reputation points2023-04-15T09:23:44.8933333+00:00 I have seen the same problem with multiple Windows servers like Skype frontend, RDGW´s and others with IIS installed. Currently, I am debugging why we get Eventid 39 on DC´s intermittently for some IIS servers (Multiple Domains in Compability mode för UserKeyMapping , https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 ) and I also want to know how to solve this issue, as it is related to certificate chain. The errors are also in the CAPI2 log. I have used the tools as above for 'debugging' with same result
-
Adrian Adamiak 15 Reputation points Microsoft Vendor
2023-04-19T09:28:26.2333333+00:00 @Johan Hafvenström
I have just enabled CAPI2 logs and I found a different error with Event ID 39 which looks a slightly different- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" /> <EventID>60</EventID> <Version>0</Version> <Level>2</Level> <Task>60</Task> <Opcode>0</Opcode> <Keywords>0x4000000000000100</Keywords> <TimeCreated SystemTime="2023-04-19T09:12:37.613139200Z" /> <EventRecordID>17527</EventRecordID> <Correlation ActivityID="{d5d4ab88-8ecc-4f5b-908b-ad07c03ffbe4}" /> <Execution ProcessID="11464" ThreadID="6540" /> <Channel>Microsoft-Windows-CAPI2/Operational</Channel> <Computer>NET00000644.mf.gov.pl</Computer> <Security UserID="S-1-5-21-1525952054-1005573771-2909822258-408438" /> </System> - <UserData> - <CertificateStore> <Store type="CERT_STORE_PROV_SYSTEM_W" constant="10" location="CERT_SYSTEM_STORE_LOCAL_MACHINE_ID">AddressBook</Store> <Flags value="2C000" CERT_STORE_READONLY_FLAG="true" CERT_STORE_OPEN_EXISTING_FLAG="true" /> <EventAuxInfo ProcessName="w3wp.exe" /> <CorrelationAuxInfo TaskId="{1E1681DC-E9CE-4AEA-9D5A-C66EC140C202}" SeqNumber="1" /> <Result value="2">The system cannot find the file specified.</Result> </CertificateStore> </UserData> </Event> - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" /> <EventID>53</EventID> <Version>0</Version> <Level>2</Level> <Task>53</Task> <Opcode>2</Opcode> <Keywords>0x4000000000000036</Keywords> <TimeCreated SystemTime="2023-04-19T15:12:26.951701600Z" /> <EventRecordID>93533</EventRecordID> <Correlation /> <Execution ProcessID="11464" ThreadID="10656" /> <Channel>Microsoft-Windows-CAPI2/Operational</Channel> <Computer>NET00000644.mf.gov.pl</Computer> <Security UserID="S-1-5-21-1525952054-1005573771-2909822258-408438" /> </System> - <UserData> - <CryptRetrieveObjectByUrlWire> <URL scheme="http">http://urlhere/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBS5xO7XtiSujkx%2FSG3nQqEMQPlZTQQUfR%2Bt1nzLSol4VWy6EPLtM9Yxus0CE2MAA%2FCOGz%2F%2F0t%2BhtSEAAQAD8I4%3D</URL> <Object type="CONTEXT_OID_OCSP_RESP" constant="6" /> <Timeout>PT15S</Timeout> <Flags value="202004" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true" /> <AuxInfo maxUrlRetrievalByteCount="104857600" cacheFileNamePrefix="53522CFD2721178B362346952DFE900A_" /> - <AdditionalInfo> - <Action name="Call_WinHttpOpen"> <Error value="3FA">Illegal operation attempted on a registry key that has been marked for deletion.</Error> </Action> </AdditionalInfo> <EventAuxInfo ProcessName="w3wp.exe" /> <CorrelationAuxInfo TaskId="{083CE273-6A9D-4F3E-BB76-31C370F81E0F}" SeqNumber="10" /> <Result value="3FA">Illegal operation attempted on a registry key that has been marked for deletion.</Result> </CryptRetrieveObjectByUrlWire> </UserData> </Event>
Sign in to comment