yubikey the revocation status of the domain controller certificate used for smart card authentication could not be determined

John D 36 Reputation points
2023-04-28T14:52:21.46+00:00

I found a similar issue to what I am seeing but unfortunately not able to determine the cause.

https://social.technet.microsoft.com/Forums/en-US/6a152b22-2010-4923-8675-2cad55bfc117/smart-card-yubikey-certutil-the-revocation-function-was-unable-to-check-revocation-because-the?forum=winserversecurity

The issue I am having and tia for any help or guidance!

Trying to set up Yubikeys to authenticate to servers to add MFA to all server access.

Yubikeys work for local workstation fine but when trying to access a server via RDP I am getting the following error

'the revocation status of the domain controller certificate used for smart card authentication could not be determined"

Yubikey minicard driver is installed on the client and destination server.

Downloaded the certificate assign to the user and checking certutil passed - certutil -verify -urlfetch

CRL looks good from what I can tell.

PKIVIEW.MSC on the CA looks good - no errors.

One thing that was weird is that I ran certutil -url c:\test.cer and when i hit retrieve from CDP its all good, when I retrieve from AIA the first time I get Revocation Check Failed, but I click Retrieve again and immediately get Verified. I can reproduce this over and over again... close utility - click retrieve I get failed, then retrieve again and it changes to verified... not sure what that is from but seems weird...

User's image

User's image

Also ran

--

certutil -verify -urlfetch c:\test.cer
Issuer:
    CN=**redacted**
    DC=**redacted**
    DC=LOCAL
  Name Hash(sha1): b894e73a900c96f2b7e367205419d4ab6c1c667e
  Name Hash(md5): bd8cffd03e09aa94dacee5baeaae3163
Subject:
    CN=**redacted**
    OU=Admins
    DC=**redacted**
    DC=LOCAL
  Name Hash(sha1): ef96fbbae04390a7dfa3786345ee13ab2d3b6fa2
  Name Hash(md5): eaf4a4c67204f1958d0c1c0477887c71
Cert Serial Number: 67000244d4246233c604b2e0ed0005000244d4

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 19 Hours, 43 Minutes, 19 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 19 Hours, 43 Minutes, 19 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=**redacted**
  NotBefore: 4/28/2023 8:26 AM
  NotAfter: 4/27/2026 8:26 AM
  Subject: **redacted**
  Serial: 67000244d4246233c604b2e0ed0005000244d4
  SubjectAltName: Other Name:Principal Name=**redacted**
  Template: **redacted**
  Cert: 626febbc6a6c1e6ae0bfb98a648cda7daafa5c72
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 6951754a6a22e05a076dfdc5b74eab253dd08f3d
    [0.0] ldap:///**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (1)" Time: 0 894bd09be9a4ec3cf39c6f56f93693b7c624183a
    [0.1] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (0b0d)" Time: 0 5eecb5bd9173a310de8a0ddf519be993b9f9f4f4
    [0.0] ldap:///CN=**redacted**(1),CN=CERTSUB19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
    [0.0.0] ldap:///CN=**redacted**(1),CN=**redacted**,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
    [0.0.1] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1)+.crl

  Verified "Base CRL (0b0d)" Time: 0 5eecb5bd9173a310de8a0ddf519be993b9f9f4f4
    [1.0] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1).crl

  Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
    [1.0.0] ldap:///CN=**redacted**(1),CN=**redacted**,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
    [1.0.1] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1)+.crl

  ----------------  Base CRL CDP  ----------------
  OK "Delta CRL (0b0f)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
    [0.0] ldap:///CN=**redacted**(1),CN=**redacted**,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint

  OK "Delta CRL (0b0f)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
    [1.0] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1)+.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 0b0d:
    Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
    ThisUpdate: 4/19/2023 2:38 PM
    NextUpdate: 5/20/2023 2:58 AM
    CRL: 5eecb5bd9173a310de8a0ddf519be993b9f9f4f4
    Delta CRL 0b0e:
    Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
    ThisUpdate: 4/26/2023 2:38 PM
    NextUpdate: 5/4/2023 2:58 AM
    CRL: f7df98af8458c5a238cc158154fdc1b54fe33ea1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
  NotBefore: 2/16/2023 11:09 AM
  NotAfter: 2/15/2028 11:09 AM
  Subject: CN=**redacted**, DC=**redacted**, DC=LOCAL
  Serial: 4a0000016e6ef7621a9a1a71f800020000016e
  Template: SubCA
  Cert: 894bd09be9a4ec3cf39c6f56f93693b7c624183a
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Wrong Issuer "Certificate (0)" Time: 0 ee48b58b1c54e1354dcbd5d41a7e0e482ccfa2f2
    [0.0] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (1)" Time: 0 96e5561470a76fe29081dc35d20bcb0e535094d7
    [0.1] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (2)" Time: 0 84503f8540df33611a66fdc53804e7f2f17f6e81
    [0.2] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (3)" Time: 0 c17645220c61d655a03f3bebfafabe723c4a90c8
    [0.3] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority

  Wrong Issuer "Certificate (4)" Time: 0 11f2da7f1f4a51fd3f813014f9825d2f06f9aca4
    [0.4] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (0b3b)" Time: 0 88258425b30cf8a2c6236cfe675781570fecac60
    [0.0] ldap:///CN=**redacted**(1),CN=CERTAUTH19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (0b3b)" Time: 0 c4191a687c47cae5e02cb5504a3f6695f9de9a61
    [0.0.0] ldap:///CN=**redacted**(1),CN=CERTAUTH19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Base CRL CDP  ----------------
  OK "Delta CRL (0b3b)" Time: 0 c4191a687c47cae5e02cb5504a3f6695f9de9a61
    [0.0] ldap:///CN=**redacted**(1),CN=CERTAUTH19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 0b3b:
    Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
    ThisUpdate: 4/27/2023 11:30 AM
    NextUpdate: 5/11/2023 11:50 PM
    CRL: 88258425b30cf8a2c6236cfe675781570fecac60
    Delta CRL 0b3b:
    Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
    ThisUpdate: 4/27/2023 11:30 AM
    NextUpdate: 4/28/2023 11:50 PM
    CRL: c4191a687c47cae5e02cb5504a3f6695f9de9a61

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
  NotBefore: 7/8/2015 9:47 AM
  NotAfter: 9/14/2031 7:57 AM
  Subject: CN=**redacted**, DC=**redacted**, DC=LOCAL
  Serial: 4b1df556819a54a3453ba221c5687e15
  Template: CA
  Cert: 84503f8540df33611a66fdc53804e7f2f17f6e81
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

Exclude leaf cert:
  Chain: 7692940da088ea05998fe805d58ff8ab2f394094
Full chain:
  Chain: 263db87757ad1c95410e66af94a429bb6193168a
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.


Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,688 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,199 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,622 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,924 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,371 Reputation points
    2023-05-02T11:48:33.46+00:00

    Hello there,

    To find the cause may be you can use Windows tools to back track the process.

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file

    system, Registry and process/thread activity. You can get the tool from here

    https://docs.microsoft.com/enus/sysinternals/downloads/procmon

    System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log

    system activity to the Windows event log.You can get the tool from here

    https://docs.microsoft.com/enus/sysinternals/downloads/sysmon

    Also make sure that the OCSP service is running and that a valid certificate revocation list (CRL) is available in the Active Directory (AD). Try to log in on another computer, to see if you get the same result.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.