IIS 10 with AAR and CRL [Answered]RSS

4 replies

Last post Mar 06, 2019 07:34 AM by waaalex

  • IIS 10 with AAR and CRL

    Feb 28, 2019 02:53 PM|waaalex|LINK

    Hello,

    We are trying to publish exchange OWA 2016 throught reverse proxy with IIS 10 AAR placed in DMZ.

    This is working well.

    Now we need to connect with client certificate and this does not work (error 403.13)

    ISS 10 AAR in DMZ

    CRL list is available from ldap and http, IIS AAR is not domain joined so i try to use http to join CRL.

    I have tested CRL with certutil (on admin session and local system with psexec) and wfetch and it's working.

    But on we i tried to connect to OWA, i m prompted for certificate and get 403.13 error. Revocation server is offline even i can join crls with internet explorer on this server.

    I'm really stuck here. Any idea? I don't want to disable CRL verification

  • Re: IIS 10 with AAR and CRL

    Mar 01, 2019 09:10 AM|Jalpa Panchal|LINK

    Hi,

    Could share your detail error message? 

    If you get  403.13  forbidden - certificate error mismatched address OR Your client certificate was revoked or the revocation status could not be determined,this can happen when the web server is unable to communicate with the Certificate Revocation List (CRL) because of a firewall or no internet access. 

    You could prefer below article:

    Regards,

    Jalpa.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: IIS 10 with AAR and CRL

    Mar 01, 2019 09:31 AM|waaalex|LINK

    Thank you for your answer.

    Here's error message in details (it's not error that you mentionned).

    Error message is in french (revocation function could not verifie revocation because revocation serverwas offline)

    I have tested client certificate on this IIS server with certutil -url cert.cer and CRL is verified.

    Not that external url of is like "owa@publicdomain.com" and internal target is owa2@localdomain.com

    <div class="content-container"> <div class="hidden" id="section_compact" style="display: block;">

    No. EventName Details Time
    1. GENERAL_REQUEST_START SiteId="1", AppPoolId="DefaultAppPool", ConnId="1610612739", RawConnId="0", RequestURL="https://xxx:443/", RequestVerb="GET" 09:02:01.426
    2. PRE_BEGIN_REQUEST_START ModuleName="RewriteModule" 09:02:01.426
    3. GENERAL_SET_REQUEST_HEADER HeaderName="X-Original-URL", HeaderValue="/", Replace="true" 09:02:01.426
    4. URL_CHANGED OldUrl="/", NewUrl="https://Exchange - OWA/" 09:02:01.426
    5. PRE_BEGIN_REQUEST_END ModuleName="RewriteModule", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.426
    6. PRE_BEGIN_REQUEST_START ModuleName="FailedRequestsTracingModule" 09:02:01.426
    7. PRE_BEGIN_REQUEST_END ModuleName="FailedRequestsTracingModule", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.426
    8. GENERAL_ENDPOINT_INFORMATION RemoteAddress="xxxxx", RemotePort="28457", LocalAddress="xxxx", LocalPort="443" 09:02:01.426
    9. GENERAL_REQUEST_HEADERS Headers="Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gzip, deflate Accept-Language: fr-FR Cookie: ClientId=032CD6AD66BD4230AC0C16892E611D12; RoutingKeyCookie=v2:98WZIMD7qVKSbO6xoBJ7bXSSZnxCr0G%2bM9QkjUeGEsM%3d:65839ad4-30e7-49de-882a-2641facb4b1f@yyyyy; X-OWA-JS-PSD=1 Host: xxxxx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko DNT: 1 X-Original-URL: / " 09:02:01.426
    10. URL_CACHE_ACCESS_START RequestURL="/" 09:02:01.426
    11. URL_CACHE_ACCESS_END PhysicalPath="", URLInfoFromCache="false", URLInfoAddedToCache="true", ErrorCode="L’opération a réussi. (0x0)" 09:02:01.426
    12. GENERAL_GET_URL_METADATA PhysicalPath="", AccessPerms="617" 09:02:01.426
    13. MODULE_SET_RESPONSE_ERROR_STATUS
    Warning
    ModuleName="IIS Web Core", Notification="BEGIN_REQUEST", HttpStatus="403", HttpReason="Forbidden", HttpSubStatus="13", ErrorCode="La fonction de révocation n’a pas pu vérifier la révocation car le serveur de révocation était déconnecté. (0x80092013)", ConfigExceptionInfo="" 09:02:01.551
    14. NOTIFY_MODULE_START ModuleName="RequestFilteringModule", Notification="SEND_RESPONSE", fIsPostNotification="false" 09:02:01.551
    15. NOTIFY_MODULE_END ModuleName="RequestFilteringModule", Notification="SEND_RESPONSE", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.551
    16. NOTIFY_MODULE_START ModuleName="ProtocolSupportModule", Notification="SEND_RESPONSE", fIsPostNotification="false" 09:02:01.551
    17. NOTIFY_MODULE_END ModuleName="ProtocolSupportModule", Notification="SEND_RESPONSE", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.551
    18. NOTIFY_MODULE_START ModuleName="HttpCacheModule", Notification="SEND_RESPONSE", fIsPostNotification="false" 09:02:01.551
    19. NOTIFY_MODULE_END ModuleName="HttpCacheModule", Notification="SEND_RESPONSE", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.551
    20. NOTIFY_MODULE_START ModuleName="HttpLoggingModule", Notification="SEND_RESPONSE", fIsPostNotification="false" 09:02:01.551
    21. NOTIFY_MODULE_END ModuleName="HttpLoggingModule", Notification="SEND_RESPONSE", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.551
    22. NOTIFY_MODULE_START ModuleName="RewriteModule", Notification="SEND_RESPONSE", fIsPostNotification="false" 09:02:01.551
    23. NOTIFY_MODULE_END ModuleName="RewriteModule", Notification="SEND_RESPONSE", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.551
    24. NOTIFY_MODULE_START ModuleName="CustomErrorModule", Notification="SEND_RESPONSE", fIsPostNotification="false" 09:02:01.551
    25. GENERAL_SEND_CUSTOM_ERROR HttpStatus="403", HttpSubStatus="13", FileNameOrURL="403.htm" 09:02:01.551
    26. FILE_CACHE_ACCESS_START FileName="C:\inetpub\custerr\fr-FR\403.htm", UserName="", DomainName="" 09:02:01.551
    27. FILE_CACHE_ACCESS_END Successful="true", FileFromCache="true", FileAddedToCache="false", FileDirmoned="true", LastModCheckErrorIgnored="true", ErrorCode="L’opération a réussi. (0x0)", LastModifiedTime="Wed, 27 Feb 2019 09:42:19 GMT" 09:02:01.551
    28. GENERAL_SET_RESPONSE_HEADER HeaderName="Content-Type", HeaderValue="text/html", Replace="true" 09:02:01.551
    29. NOTIFY_MODULE_END ModuleName="CustomErrorModule", Notification="SEND_RESPONSE", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" 09:02:01.551
    30. HTTPSYS_CACHEABLE HttpsysCacheable="false", Reason="SSL_RESTRICTION", CachePolicy="NO_CACHE", TimeToLive="0" 09:02:01.551
    31. GENERAL_FLUSH_RESPONSE_START 09:02:01.551
    32. GENERAL_RESPONSE_HEADERS Headers="Content-Type: text/html Server: Microsoft-IIS/10.0 " 09:02:01.551
    33. GENERAL_RESPONSE_ENTITY_BUFFER Buffer="<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>403 - Interdit%A0: acc%E8s refus%E9.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Erreur de serveur</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>403 - Interdit%A0: acc%E8s refus%E9.</h2> <h3>Vous n'avez pas l'autorisation d'afficher ce r%E9pertoire ou cette page %E0 l'aide des informations d'identification que vous avez fournies.</h3> </fieldset></div> </div> </body> </html> " 09:02:01.551
    34. GENERAL_FLUSH_RESPONSE_END BytesSent="1406", ErrorCode="L’opération a réussi. (0x0)" 09:02:01.551
    35. GENERAL_REQUEST_END BytesSent="1406", BytesReceived="465", HttpStatus="403", HttpSubStatus="13" 09:02:01.551

    </div> </div>

    
    

  • Re: IIS 10 with AAR and CRL

    Mar 05, 2019 02:19 PM|waaalex|LINK

    Another thing :

    certutil with urlfetch gives error :

    C:\Users\Administrateur\Desktop>certutil -urlfetch -verify alex.cer
    Émetteur:
        CN=get-SRV-DC-CA
        DC=dom
        DC=com
      Hachage du nom (sha1) : a62888b8b494cc72d5b50a3401da695e28922316
      Hachage du nom (md5) : c8c269fb24c05cd48f07ec444fa63f93
    Objet:
        E=A.NOM@domaineexch.com
        CN=NOM Alexandre
      Hachage du nom (sha1) : facbf33942c29a333aeea9ade9db538d3d530ff7
      Hachage du nom (md5) : 01deefd4ec4bfb2d5bc80ed8221e486a
    Numéro de série du certificat : 67f0382100000000a51b
    
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 5 Days, 47 Minutes, 28 Seconds
    
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 5 Days, 47 Minutes, 28 Seconds
    
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
      Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
      NotBefore: 01/03/2019 15:05
      NotAfter: 29/02/2020 15:05
      Subject: E=A.NOM@domaineexch.com, CN=NOM Alexandre
      Serial: 67f0382100000000a51b
      SubjectAltName: Autre nom :Nom principal=LOGIN@mailinterne.com
      Template: 1.3.6.1.4.1.311.21.8.11025665.8001721.14437036.989286.1368235.196.5905011.1016426
      Cert: 9b28759fd75d66d04ad135b17ea93f541ace19f6
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
      ----------------  AIA de certificat  ----------------
      Échec "AIA" Heure : 0 (null)
        Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        ldap:///CN=get-SRV-DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?cACertificate?base?objectClass=certificationAuthority
    
      Vérifié "Certificat (0)" Heure : 0 b3d1bb3362ec43aedafe4c3868805db4fcda5748
        [1.0] http://SRV-DC.domain.com/CertEnroll/SRV-DC.domain.com_get-SRV-DC-CA.crt
    
      ----------------  CDP de certificat  ----------------
      Échec "CDP" Heure : 0 (null)
        Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    
      Vérifié "Liste de révocation des certificats de base (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
        [1.0] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl
    
      Échec "CDP" Heure : 0 (null)
        Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        [1.0.0] ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
      Ancienne liste de révocation des certificats de base "Liste de révocation des certificats delta (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
        [1.0.1] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl
    
      ----------------  CDP de liste de révocation des certificats de base  ----------------
      Échec "CDP" Heure : 0 (null)
        Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
      OK "Liste de révocation des certificats de base (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
        [1.0] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl
    
      Échec "CDP" Heure : 0 (null)
        Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        [1.0.0] ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
      Ancienne liste de révocation des certificats de base "Liste de révocation des certificats delta (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
        [1.0.1] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl
    
      ----------------  Protocole OCSP du certificat  ----------------
      Pas d’URL "Aucun" Heure : 0 (null)
      --------------------------------
        CRL 0592:
        Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
        ThisUpdate: 28/02/2019 13:55
        NextUpdate: 08/03/2019 02:15
        CRL: a467254541a842b5e0819fe02e61395baeb2b4e9
      Application[0] = 1.3.6.1.5.5.7.3.2 Authentification du client
      Application[1] = 1.3.6.1.5.5.7.3.4 Messagerie électronique sécurisée
    
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
      NotBefore: 08/04/2015 13:36
      NotAfter: 08/04/2020 13:45
      Subject: CN=get-SRV-DC-CA, DC=dom, DC=com
      Serial: 40d4e5b7f3288898496b6f9bb3f1a103
      Template: CA
      Cert: b3d1bb3362ec43aedafe4c3868805db4fcda5748
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  AIA de certificat  ----------------
      Pas d’URL "Aucun" Heure : 0 (null)
      ----------------  CDP de certificat  ----------------
      Pas d’URL "Aucun" Heure : 0 (null)
      ----------------  Protocole OCSP du certificat  ----------------
      Pas d’URL "Aucun" Heure : 0 (null)
      --------------------------------
    
    Exclude leaf cert:
      Chain: 52a851a29e09dc1f1aec1fd5a640854e68361f94
    Full chain:
      Chain: 5046b50dfefc32be7c0c470bdb7ed2843ffc288a
      Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
      NotBefore: 01/03/2019 15:05
      NotAfter: 29/02/2020 15:05
      Subject: E=A.NOM@domaineexch.com, CN=NOM Alexandre
      Serial: 67f0382100000000a51b
      SubjectAltName: Autre nom :Nom principal=LOGIN@mailinterne.com
      Template: 1.3.6.1.4.1.311.21.8.11025665.8001721.14437036.989286.1368235.196.5905011.1016426
      Cert: 9b28759fd75d66d04ad135b17ea93f541ace19f6
    La fonction de révocation n’a pas pu vérifier la révocation car le serveur de révocation était déconnecté. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
    ------------------------------------
    Vérification de révocation ignorée -- le serveur est hors connexion
    
    ERREUR : la vérification de l’état de révocation du certificat feuille a
             renvoyé La fonction de révocation n’a pas pu vérifier la révocation car le serveur de révocation était déconnecté. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
    CertUtil: La fonction de révocation n’a pas pu vérifier la révocation car le serveur de révocation était déconnecté.
    
    CertUtil: -verify La commande s’est terminée correctement.

  • Re: IIS 10 with AAR and CRL

    Mar 06, 2019 07:34 AM|waaalex|LINK