An unknown error occurred while processing the certificate - Troubleshooting Monitoring and Debuging - Microsoft Forefront Security and Protection Forums - Knowledge Center | Community Public Web Site | Online Support | Online Training | Articles

Welcome Guest

Microsoft Forefront Security and Protection Forums » Microsoft Forefront UAG | Unified Access Gateway » Troubleshooting Monitoring and Debuging » An unknown error occurred while processing the certificate

An unknown error occurred while processing the certificate

Options View

Previous Topic Next Topic

IP		#1 Posted : Tuesday, October 13, 2009 4:33:30 PM(UTC)
Rank: Administration Groups: Registered Joined: 10/22/2008(UTC) Posts: 374 Points: 1,128 Location: Israel		Hi Guys, Just wanted to share with you some problem I had with UAG when publishing OWA 2007 (SSL to SSL) I configured the environment, the Login process worked great but I felt some slowness after the authentication phase and then I got the following error "An unknown error occurred while processing the certificate" With the following events on the UAG server: I've made some research and The solution is: The UAG server had no access (Layer 3 / 4) and name resolution to the CDP (CRL Distribution Points) HTH Idan Plotnik Security Engineer
Back to top		WWW \| Edit by user

User Profile View Thanks

cstonebr		#2 Posted : Monday, January 25, 2010 11:35:49 AM(UTC)
Rank: Newbie Groups: Registered Joined: 9/14/2009(UTC) Posts: 2 Points: 6		Hi, I am experiencing the problem you highlighted above on a POC box. My problem stems from the fact that 2 of the applications that use ssl have internally generated certificates from CA's that do not publish crl's, is it possible to turn off the checking for my test UAG server? Best Regards Chris
Back to top

User Profile View Thanks

Jason Jones		#3 Posted : Wednesday, January 27, 2010 6:42:04 AM(UTC)
Rank: Advanced Member Groups: Registered, DA Moderator, IAG UAG TMG Moderator, Stirling Moderator Joined: 11/30/2008(UTC) Posts: 151 Points: 462 Location: United Kingdom		Hi Chris, Personally I would fix the CRL problem, as a properly configured PKI should be publishing CRLs as they are a key part of the design. Once you have configured CRL publishing, you can then re-issue the certs (which now contains the correct CDPs) and CRL checking should then work successfully if UAG has access to the CDPs. I think you can disable CRL checking with this: Set the StrongCRL value in the registry, under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\ key, add a new Oakley subkey, with a DWORD entry: StrongCRLCheck, and assign it a value of 0. Cheers JJ Jason Jones \| Forefront MVP \| Silversands Ltd My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk/
Back to top		WWW BLOG

User Profile View Thanks

Jason Jones		#4 Posted : Wednesday, January 27, 2010 6:44:16 AM(UTC)
Rank: Advanced Member Groups: Registered, DA Moderator, IAG UAG TMG Moderator, Stirling Moderator Joined: 11/30/2008(UTC) Posts: 151 Points: 462 Location: United Kingdom		IP wrote: Hi Guys, Just wanted to share with you some problem I had with UAG when publishing OWA 2007 (SSL to SSL) I configured the environment, the Login process worked great but I felt some slowness after the authentication phase and then I got the following error "An unknown error occurred while processing the certificate" With the following events on the UAG server: I've made some research and The solution is: The UAG server had no access (Layer 3 / 4) and name resolution to the CDP (CRL Distribution Points) HTH A lot of people don't realise how important CRLs are for a good PKI design; this includes ALL clients being able to access the CRL. DirectAccess has similar requirements, so I see this being a popular issue for people... Cheers JJ Jason Jones \| Forefront MVP \| Silversands Ltd My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk/
Back to top		WWW BLOG

User Profile View Thanks

Joe		#5 Posted : Thursday, February 04, 2010 6:33:51 PM(UTC)
Rank: Newbie Groups: Registered Joined: 2/4/2010(UTC) Posts: 3 Points: 9 Location: Denver, CO		Is there any way to selectively disable CRL lookups per CA for UAG like the SiteMinder product? The reason I ask is because DoD CDP CRL files are typically very huge, some have been several hundred MB. After a CRL expires, having the first DoD user wait an unacceptable period while the huge CRL's are cached on UAG is not acceptable. The workaround for this for my company has been an automated script to pull down the large CRL's every evening, convert them to ascii, parse the list against AD and deny access to the customer in AD. On the UAG server, the CRL lookup would be disabled without compromizing PKI security. On the other hand, internal CRL lookups are desired. Having UAG only perfoming CRL lookups against the CA's that are desired is something that is needed. Looking at a OCSP responder may be an alternate resolution. However, not all 3rd party CA's configure certs for OCSP. Thoughts? Joe
Back to top

User Profile View Thanks

Joe		#6 Posted : Thursday, February 04, 2010 7:07:48 PM(UTC)
Rank: Newbie Groups: Registered Joined: 2/4/2010(UTC) Posts: 3 Points: 9 Location: Denver, CO		Jason, Adding the StrongCRLCheck DWORD entry with a value of 0 did not disable CRL checking on UAG 2010. I did boot for good measure in case it needed to be rebooted. Do you have suggestion on the proper registry setting to turn off CRL checking for testing purposes? Joe Jason Jones wrote: Hi Chris, Personally I would fix the CRL problem, as a properly configured PKI should be publishing CRLs as they are a key part of the design. Once you have configured CRL publishing, you can then re-issue the certs (which now contains the correct CDPs) and CRL checking should then work successfully if UAG has access to the CDPs. I think you can disable CRL checking with this: Set the StrongCRL value in the registry, under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\ key, add a new Oakley subkey, with a DWORD entry: StrongCRLCheck, and assign it a value of 0. Cheers JJ
Back to top

User Profile View Thanks

Joe		#7 Posted : Thursday, February 04, 2010 7:28:25 PM(UTC)
Rank: Newbie Groups: Registered Joined: 2/4/2010(UTC) Posts: 3 Points: 9 Location: Denver, CO		OK I found it in the UAG 2010 help and it successfully disabled CRL checking for testing purposes. Hope this helps someone. HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL "By default Forefront UAG validates the both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the either the certificate or the CRL are not valid, backend users shall be denied access to that given backend server. If an UAG admin wishes to disable that test due to any kind of reason she should set 'ValidateRwsCert' and 'ValidateRwsCertCRL' to '0' and restart the IIS service by 'iisreset' preferably." Joe wrote: Jason, Adding the StrongCRLCheck DWORD entry with a value of 0 did not disable CRL checking on UAG 2010. I did boot for good measure in case it needed to be rebooted. Do you have suggestion on the proper registry setting to turn off CRL checking for testing purposes? Joe Jason Jones wrote: Hi Chris, Personally I would fix the CRL problem, as a properly configured PKI should be publishing CRLs as they are a key part of the design. Once you have configured CRL publishing, you can then re-issue the certs (which now contains the correct CDPs) and CRL checking should then work successfully if UAG has access to the CDPs. I think you can disable CRL checking with this: Set the StrongCRL value in the registry, under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\ key, add a new Oakley subkey, with a DWORD entry: StrongCRLCheck, and assign it a value of 0. Cheers JJ
Back to top

User Profile View Thanks

Jason Jones		#8 Posted : Thursday, February 04, 2010 8:41:34 PM(UTC)
Rank: Advanced Member Groups: Registered, DA Moderator, IAG UAG TMG Moderator, Stirling Moderator Joined: 11/30/2008(UTC) Posts: 151 Points: 462 Location: United Kingdom		Joe wrote: Jason, Adding the StrongCRLCheck DWORD entry with a value of 0 did not disable CRL checking on UAG 2010. I did boot for good measure in case it needed to be rebooted. Do you have suggestion on the proper registry setting to turn off CRL checking for testing purposes? Joe Jason Jones wrote: Hi Chris, Personally I would fix the CRL problem, as a properly configured PKI should be publishing CRLs as they are a key part of the design. Once you have configured CRL publishing, you can then re-issue the certs (which now contains the correct CDPs) and CRL checking should then work successfully if UAG has access to the CDPs. I think you can disable CRL checking with this: Set the StrongCRL value in the registry, under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\ key, add a new Oakley subkey, with a DWORD entry: StrongCRLCheck, and assign it a value of 0. Cheers JJ Yeah, I think that's the one for DirectAccess CRLs. Jason Jones \| Forefront MVP \| Silversands Ltd My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk/
Back to top		WWW BLOG

User Profile View Thanks

Jason Jones		#9 Posted : Thursday, February 04, 2010 8:42:14 PM(UTC)
Rank: Advanced Member Groups: Registered, DA Moderator, IAG UAG TMG Moderator, Stirling Moderator Joined: 11/30/2008(UTC) Posts: 151 Points: 462 Location: United Kingdom		Joe wrote: OK I found it in the UAG 2010 help and it successfully disabled CRL checking for testing purposes. Hope this helps someone. HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL "By default Forefront UAG validates the both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the either the certificate or the CRL are not valid, backend users shall be denied access to that given backend server. If an UAG admin wishes to disable that test due to any kind of reason she should set 'ValidateRwsCert' and 'ValidateRwsCertCRL' to '0' and restart the IIS service by 'iisreset' preferably." Joe wrote: Jason, Adding the StrongCRLCheck DWORD entry with a value of 0 did not disable CRL checking on UAG 2010. I did boot for good measure in case it needed to be rebooted. Do you have suggestion on the proper registry setting to turn off CRL checking for testing purposes? Joe Jason Jones wrote: Hi Chris, Personally I would fix the CRL problem, as a properly configured PKI should be publishing CRLs as they are a key part of the design. Once you have configured CRL publishing, you can then re-issue the certs (which now contains the correct CDPs) and CRL checking should then work successfully if UAG has access to the CDPs. I think you can disable CRL checking with this: Set the StrongCRL value in the registry, under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\ key, add a new Oakley subkey, with a DWORD entry: StrongCRLCheck, and assign it a value of 0. Cheers JJ Cool, thanks for the follow up :) Jason Jones \| Forefront MVP \| Silversands Ltd My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk/
Back to top		WWW BLOG

User Profile View Thanks

maikel.moors		#10 Posted : Monday, February 08, 2010 9:23:56 AM(UTC)
Rank: Newbie Groups: Registered Joined: 2/8/2010(UTC) Posts: 1 Points: 3 Location: Holland		Dear Idan, did you have any luck with this problem? Cause i having the same problem. All answers above i did trie, but without any luck. If you did found a answer would love hearing from you. Thank you in advance
Back to top

User Profile View Thanks

Users browsing this topic
Guest (2)

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

ForefrontSecurity.ORG Design Team
Powered by YAF | YAF © 2003-2010, Yet Another Forum.NET
This page was generated in 0.116 seconds.