Windows revocation failures
Symptoms / Windows Errors | Solutions |
---|---|
Error shown to the user: The revocation status of the domain controller certificate used for the smart card authentication could not be determined. AND Windows Event Log: The client has failed to validate the domain controller certificate for dc.example.com. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. | On target: How to save kdccert.cer to the desktop:
The target host is not able to validate the domain controller certificate, if:
Note |
This error persists even when KDC certificate has been updated to include proper accessible HTTP CRL DP or expired CRL has been replaced by a valid CRL: The revocation status of the domain controller certificate used for the smart card authentication could not be determined. | Ensure Windows cache doesn’t interfere. Windows has a negacache for CRL queries that cause validation to fail locally if it has failed in the past. The system cache is persistent and survives reboot. The cache of the system cannot be cleared with |
Error shown to the user: The revocation status of the smart card certificate could not be determined. | On target:
Target host is not able to validate the user certificate from virtual smart card, if:
Ensure accessible IP / FQDN on PrivX Server and DNS is configured correctly on Windows environment. Check that CRL DP URL in the user certificate can be downloaded from the target with a browser or certutil and firewalls are not blocking outgoing port 80 on target or incoming port 80 on PrivX CA. PrivX CA issues empty CRL on demand and it is valid one hour in the past and 23 hours in the future. |
Updated almost 2 years ago