Event ID 18 — AD CS Online Responder Service

  • Article

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 18
Source: Microsoft-Windows-OnlineResponderRevocationProvider
Version: 6.0
Symbolic Name: MSG_E_MISMATCHED_BASE_DELTA_CRL
Message: For configuration %1, the Online Responder revocation provider found a delta CRL that refers to a newer base CRL.

Resolve

Ensure that the delta CRL version matches the base CRL version

A delta certificate revocation list (CRL) can only be used with a corresponding base CRL. To ensure that the delta CRL version matches the base CRL vesion:

  • Check for CRL publishing errors on the certification authority (CA).
  • Republish base and delta CRLs.
  • Check and update local CRLs on the Online Responder computer.
  • Refresh and update revocation information on the Online Responder.
  • Confirm that the configured CRL distribution points on the CA and Online Responder use the same location.
  • Update revocation information.
  • If the problem persists, use CryptoAPI 2.0 Diagnostics to obtain additional information about the problem.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Check for CRL publishing errors on the CA

To check for CRL publishing errors on the CA:

  1. On the CA, click Start, point to Administrative Tools, and click Event Viewer.
  2. Check for additional errors or warnings related to CRL publishing. For more information, see https://go.microsoft.com/fwlink/?LinkId=102985.
  3. Resolve any problems identified, and republish both the base and delta CRLs.

Republish base and delta CRLs

To republish base and delta CRLs:

  1. Open a command prompt window on the CA.
  2. Type certutil -crl and press ENTER.
  3. Confirm that no further errors or events are logged.

Check and update local CRLs on the Online Responder computer

To ensure that current base and delta CRLs are available on the Online Responder:

  1. On the computer hosting the Online Responder, click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Click Service account, and click Next.
  5. In Select Service, click Online Responder Service, click Finish, and then click OK
  6. Select the Certificate Revocation List folder for either the Intermediate Certification Authorities or Trusted Root Certification Authorities containers, depending on the type of CA that supports the Online Responder service.
  7. Check the BaseCRLNumber specified in the delta CRL indicator extension of the delta CRL.  This number should reference the version number of a published base CRL. 
  8. If this number does not match the version number of a published base CRL, republish both the base and delta CRLs by opening a command prompt window on the CA and running the following command: certutil -crl.
  9. Retrieve updated CRL data on the Online Responder. To do this, restart the Online Responder service on each Array member or right-click Array configuration in the Online Responder snap-in, and click Refresh Revocation Data. Then confirm that the base and delta CRL version numbers match.

Confirm that the configured CRL distribution points on the CA and Online Responder use the same location

To confirm that the configured CRL distribution points on the CA and Online Responder use the same location:

  1. On the Online Responder, click Start, point to Administrative Tools, and click Online Responder.
  2. In the console tree, select the revocation configuration node. 
  3. In the details pane, right-click the revocation configuration specified in the event description, and click Edit Properties.
  4. Click the Revocation Provider tab, and click Provider. Note the URLs configured in Base CRLs and Delta CRLs
  5. Confirm that the Online Responder computer can access these locations.
  6. Open the Certification Authority snap-in, right-click the name of the CA, and click Properties.
  7. On the Extensions tab, select the CRL Distribution Point extension, note the URLs that are listed, and confirm that the URLs on the two computers use the same location.

Update revocation information

You can update revocation information by retrieving an updated CRL. An updated CRL can be retrieved by:

  • Using the Services snap-in console to restart the Online Responder service
  • Using the Online Responder snap-in to refresh revocation data and confirming that the error does not appear

To update revocation information for an Online Responder by using the Services snap-in console:

  1. On the Online Responder, click Start, point to Administrative Tools, and click Services.
  2. Click Online Responder Services, and click Restart.

To update revocation information for an Online Responder by using the Online Responder snap-in:

  1. On the computer hosting the Online Responder, click Start, point to Administrative Tools, and click Online Responder.
  2. Right-click Array Configuration, and click Refresh Revocation Data.
  3. Confirm that no additional errors are reported.
  4. Click the Online Responder node, and confirm that the revocation configuration is listed as Working.
  5. Under Array Configuration, select the Online Responder computer that logged the error, and then click the revocation configuration named in the error.
  6. Under the details pane, view the Revocation Configuration Status pane for the status of the signing certificate and the revocation provider.
  7. Confirm that no additional errors are reported.

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

  1. On the Online Responder, click Start, point to Administrative Tools, and click Event Viewer.
  2. In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
  3. Right-click Operational, and click Enable Log.
  4. Click Start, point to Administrative Tools, and click Services.
  5. Right-click Active Directory Certificate Services, and click Restart.

Depending on the results from the procedures above and enabling CryptoAPI 2.0 Diagnostics, ensure that the CA publishes CRLs correctly and that they are available to the Online Responder service. 

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.

  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.

  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.

  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer* *file.

  6. Open a command prompt window.

  7. Type **certutil -url<exportedcert.cer> **and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

AD CS Online Responder Service

Active Directory Certificate Services