Exchange Certificate - Revocation Check Failed

Similar Messages

• Exchange 2010 - The certificate status could not be determined because the revocation check failed.

  I have tried everything I have found online to get my DigiCert to work.
  I have exported the cert and imported it into my child domains and they look perfect.
  It is just my parent domain having issues.
  netsh winhttp show proxy
  does show my correct proxy server for http and https and port 8080
  I have tried name, FQDN and IP address.
  In the Bypass-list I have tried none, *.domain.com, and a list of all domains and child domains in my forest.
  I have flushed the cache
  certutil -urlcache crl delete
  certutil -urlcache ocsp delete
  and rebooted the Exchange 2010 (Windows 2008 R2) server
  No matter what, I still see in my Server Configuration for the parent domain's DigiCert cert the message
  The certificate status could not be determined because the revocation check failed.
  with a red X on the left hand icon.  Again, Child domains all say "The certificate is valid for Exchange Server usage."
  Note: In spite of having the red X, I was able to assign via EMS the services.
  Webmail works fine.  Outlook Anywhere fails... I suspect it is due to my red X problem.
  Suggestions?
  Thanks in Advance
  Jim.
  Jim.

  I have contacted DigiCert and they said the cert is working per their utility, hence the problem is outside the scope of their support.
  I have followed, several times, http://support.microsoft.com/kb/979694
  http://www.digicert.com/help/  reports all is well.
  The DigiCertUtil.exe reports all is well and happy.
  I have run
  netsh winhttp set proxy proxy-server="http=myproxy:8080;https=myproxy:8080" bypass-list="*.mydomain.com"
  Current WinHTTP proxy settings:
      Proxy Server(s) :  http=myproxy:8080;https=myproxy:8080
      Bypass List     :  *.mydomain.com
  I have flushed the cache using the commands
  certutil -urlcache crl delete
  certutil -urlcache ocsp delete
   I still see in my Server Configuration for the parent domain's DigiCert cert the message
  "The certificate status could not be determined because the revocation check failed."
  with a red X on the left hand certificate icon. 
  To verify the cert via command line:
  certutil -verify -urlfetch c:\mail_domain_com.cer
  LoadCert(Cert) returned ASN1 bad tag value met. 0x8009310b (ASN: 267)
  CertUtil: -verify command FAILED: 0x8009310b (ASN: 267)
  CertUtil: ASN1 bad tag value met.
  I suspect this is why I cannot get Outlook Anywhere to connect.
  Child domains show a happy certificate icon. Parent domain does not.
  Still scratching my head.
  Thanks all!
  Jim.

• Revocation checked failed status in Certificate on Exchange 2013

  Hi,
  Got error in certificate that we have get from Godaddy for exchange 2013 which was earlier working fine, but now getting error on status that Revocation checked failed and because of that in outlook user getting certificate error.
  please suggest to fix this issue.

  We've had this error before, and it was solved by configuring the proxy settings.
  > via netsh winhttp set proxy
  > set-exchangeserver  InternetWebProxy setting (don't know if still
  applicable in Exchange2013)
  > iexplorer proxy settings
  ps : You can also
  check the crl location, when you take a look into the properties of the certificate. (crl distribution points)

• EMC - Certificate status could not be determined because revocation check failed.

  I've exhausted my resources on this issue and am reaching out for some assistance. I have setup Server 2008 R2 Enterprise SP1, running Exchange 2010 SP1. In EMC I have successfully imported a GoDaddy SSL certificate. Although I am receiving the message -
  "The certificate status could not be determined because the revocation check failed."
  Here are the steps I've taken to troubleshoot this so far:
  [PS] C:\Users\Administrator\Desktop>netsh winhttp show proxy
  Current WinHTTP proxy settings:
  Direct access (no proxy server).
  As you can see, direct access. Which is true, no proxy's on this network.
  For good measure, I'll dump the urlcache.
  certutil -urlcache ocsp delete
  certutil -urlcache crl delete
  Both return 0, reboot server.
  Comes back up, same message in EMC.
  From PS, I test exactly what its getting from GoDaddy.
  [PS] C:\Users\Administrator\Desktop>certutil -f -urlfetch -verify mail.fluxlabs.net.crt
  Issuer:
  SERIALNUMBER=07969287
  CN=Go Daddy Secure Certification Authority
  OU=http://certificates.godaddy.com/repository
  O=GoDaddy.com, Inc.
  L=Scottsdale
  S=Arizona
  C=US
  Subject:
  CN=mail.fluxlabs.net
  OU=Domain Control Validated
  O=mail.fluxlabs.net
  Cert Serial Number: 27b60918638e0d
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=S
  cottsdale, S=Arizona, C=US
  NotBefore: 8/20/2011 7:49 PM
  NotAfter: 8/20/2012 7:16 PM
  Subject: CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Serial: 27b60918638e0d
  SubjectAltName: DNS Name=mail.fluxlabs.net, DNS Name=www.mail.fluxlabs.net
  33 49 57 5d 6e d8 6b aa b9 61 73 95 44 07 c9 2e 55 6e 47 10
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
  ---------------- Certificate CDP ----------------
  Expired "Base CRL (05)" Time: 4
  [0.0] http://crl.godaddy.com/gds1-55.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com/
  CRL (null):
  Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  e5 53 19 6c 54 87 8c 62 23 1b b9 11 e1 d8 3d 3f b2 04 77 3f
  Issuance[0] = 2.16.840.1.114413.1.7.23.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 8:54 PM
  NotAfter: 11/15/2026 8:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=
  Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  Verified "Base CRL" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gdroot.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com
  CRL (null):
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  da 1e d5 63 5c 05 58 50 4e db d2 4e e8 9d 28 9d c4 36 b3 1e
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 12:06 PM
  NotAfter: 6/29/2034 12:06 PM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  Exclude leaf cert:
  b1 04 4b 90 a1 d3 48 de 46 bd d7 50 20 e3 44 b8 3f 68 39 f7
  Full chain:
  68 36 4d 37 2e 96 bd d2 aa 77 3f d0 e8 78 a9 e6 68 bd 7d 71
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was
  offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.
  As you can see, the "revocation server is offline."
  So I run the same test from another server on the LAN.
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  Leaf certificate revocation check passed
  CertUtil: -verify command completed successfully.
  It passes. The server's firewall has been disabled. DNS cache has been cleared. I have verified everything I can, and still failing to verify.

  [PS] C:\Users\Administrator\Desktop>Get-ExchangeCertificate |fl
  AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Acces
  trol.CryptoKeyAccessRule}
  CertificateDomains : {mail.fluxlabs.net, www.mail.fluxlabs.net}
  HasPrivateKey : True
  IsSelfSigned : False
  Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy
  , Inc.", L=Scottsdale, S=Arizona, C=US
  NotAfter : 8/20/2012 7:16:57 PM
  NotBefore : 8/20/2011 7:49:30 PM
  PublicKeySize : 2048
  RootCAType : ThirdParty
  SerialNumber : 27B60918638E0D
  Services : IMAP, POP, IIS, SMTP
  Status : RevocationCheckFailure
  Subject : CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Thumbprint : 3349575D6ED86BAAB96173954407C92E556E4710
  [PS] C:\Users\Administrator\Desktop>Enable-ExchangeCertificate -Thumbprint 3349575D6ED86BAAB96173954407C92E556E4710 -Services POP,IMAP,SMTP,IIS
  The command has already been executed. Yes, I have seen those sites. Neither have worked. Like I said, it is directly connected; and no proxies are set.
  -- Jeremy MCSpadden Flux Labs

• Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)

  We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
  The application is running on a server within a wide area network which is separated from the internet.
  The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
  The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call  "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
  The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
  The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
  are no problems with certificate revocation checks.
  The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
  "Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
  Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
  it cannot fetch the certificate under https://my-site.de:80.
  The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
  - Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
    has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
  - Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
    While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
    our users.
  It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
  Many thanks!
  This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
  (sorry for this is in german... and also my english above)
  network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  security: OCSP Response: GOOD
  network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  security: UNAUTHORIZED
  security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
  network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
  cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
  cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
  network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
  network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
  network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
  network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
  CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
  network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
  network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
  security: Revocation Status Unknown
  com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
      at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
      at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
      at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
      at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
      at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
      at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
      at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
      at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
      at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
      at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
      at sun.security.ssl.Handshaker.processLoop(Unknown Source)
      at sun.security.ssl.Handshaker.process_record(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
      at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
      at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
      at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
      at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
          at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
          ... 35 more
  Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      ... 36 more
  security: Ungültiges Zertifikat vom HTTPS-Server
  network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]

  Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.

• Authenticated proxy for cert revocation check

  Hi guys,
  Since upgrading to Java 7u25, Web Start will do a certificate revocation check at startup. Problem is, it seems to be ignoring the proxy authentication settings (I have it set up to user browser settings; tried switching to manual but there's no way to specify a username and password!) and it's locking my account because it tries to access the proxy without credentials. Even stranger, it seems to pass the revocation check eventually... so it seems it's only ignoring it long enough to fire a few failed login attempts. Any ideas how to get around this?

  Hi,
  Please try the following method.
  Certificate revocation checked failed:
  http://blogs.technet.com/b/bshukla/archive/2012/04/30/certificate-revocation-checked-failed.aspx
  Wendy Liu
  TechNet Community Support

• How to disable checks for certificate revocation on Java 7 u25

  I have updated a standalone network to Java 7 update 25.  With this new version is an option to "Perform certificate revocation checks on".  Since this checks against sources published to the outside network, it fails to allow users on the standalone network to use some Java applications.  This is remedied by checking Do not check.  However, I need to be able to push this setting out to all users on the network.
  Does anyone have or know a way to make this change through the registry or a config file?

  For Internal webauth - HTTP & HTTPs redirection is possible on 7.0 & 7.2 code on WLC. See the difference below.
  On 7.0 code both webauth redirection & wlc management were global, Disabling http management disables http webauth redirection, same for https as well. This behavior is changed in 7.2.
  On 7.2 code, You can have both HTTP & HTTPs management enabled and configure either HTTP or HTTPs redirection. use the below command to control http or https redirection.
  (Cisco Controller) >config network web-auth secureweb enable/disable
  Enable   -     Enables https for web-auth redirection.
  Disable  -     Enables http for web-auth redirection.

• RDS Gateway 2012, RemoteApp Displays "A Revocation check could not be performed for the Certificate" via RDWEB

  I have searched through the forums and there are a number of posts that are similar but all the checks they list seem to not apply to this one.
  My current setup is as follows
  All Servers are 2012 R2
  1 x DC server
  1 x RDS Gateway server with RDS Web installed
  1 x Session Host Server
  Certificate supplied by godaddy with 5 names. (included is the name of the RDS Gateway/Web server in the certificate, the internal name of the session host server is not included as the internal names are differnet to the external)
  My tests are as follows
  Navigating to the RDSWEB page from a machine inside the same network (windows 7 sp1) but not on the same domain is fine no errors and logging in and launching any published application is fine with no errors.
  However logging in on another machine that is external from the network (windows 7 sp1) is ok up to the point of launching any of the published apps I get the error about ""A Revocation check could not be performed for the Certificate". this
  prompts twice but does allow you to continue and login and use the app till the next time. If I view the certificate from the warning message all appears to be ok with all certs in the chain.
  I have imported the root and intermediate certs to each of the gateway/rdsweb server and session host server into the computer cert store just to be on the safe side. This has not helped, I have also run the following command from both windows 7 machines
  with no errors on either
  certutil -f –urlfetch -verify c:\export.cer
  I cant seem to see where this is failing and I am beginning to think there is something wrong with godaddy cert itself somehow.
  If I skip rdsweb and just use MSTSC with the gateway server settings then I can login to any machine on the network with no errors so this is only related to launching published apps on the 2012 R2 RDWEB or session host servers.
  Any help appreciated

  Hi,
  1. Please make sure the client PCs have mstsc.exe (6.3.9600) installed.
  2. If you are seeing a name mismatch error, you can set the published name via this cmdlet:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  To be clear, the above cmdlet changes the name that shows up next to Remote computer on the prompt you see when launching a RemoteApp.  You should have a DNS A record on your internal network pointing to the private ip address of your RDCB server. 
  Additionally, in RD Gateway Manager, Properties of your RD RAP, Network Resource tab, you should select Allow users to connect to any network resource or if you choose to use RD Gateway Managed group you will need to add all of the appropriate names to the
  group.
  For example, when launching a RemoteApp you would see something like Remote computer: rdcb.domain.com and Gateway server: gateway.domain.com .  Both of these names need to be on your GoDaddy certificate.
  Please verify the above and reply back so that we may assist you further if needed.  It is possible you have an issue with the revocation check but I would like you to make sure that the above is in place first.
  Thanks.
  -TP
  Thanks for the response.
  To be clear I am only seeing a name mismatch and revocation error if I assign a self signed cert to the session host as advised earlier in the thread by "Dharmesh Solanki", if I remove this and assign the 3rd party certificate I then
  just get the revocation error , I have already ran the powershell to change the FQDN's but this has not resolved the issue although the RDP connection details now match the external url for RDWEB when looking at one of the remoteapp files. The workspace
  ID still shows an internal name though inside this same file. 
  RD Gateway is already set to connect any resource, when connecting using remote app both names (RDCB/RDGateway) show as being correct and are contained within the same UCC certificate. I also already have a DNS entry for the Connection broker pointing to
  the internal ip.
  Do you know if the I need the internal name of the session host servers contained within the same UCC certificate seeing as they are different fqdn's than what I am using for external access ? I resigned the UCC certificate and included the internal name
  of the session host server to see if this would help but for some reason I am still seeing the revocation error. I will check on a windows 8 client pc this evening to see if this gets any further as the majority of the testing has been done on windows 7 sp1
  client pc's
  Thanks

• Exchange 2013 SP1 readiness check failing

  Trying to install our first Exchange 2013 SP1 server on Windows 2012 R2 in our datacentre, the readiness check fails with:
  Error:
  The Active Directory schema isn't up-to-date, and this user account isn't a member of the 'Schema Admins' and/or 'Enterprise Admins' groups.
  For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.SchemaUpdateRequired.aspx
  There are many more errors relating to Enterprise admin rights etc.
  Please note that:
  My account is Domain admin, Schema admin and Enterprise admin member, it always has been.
  I tried the built-in AD Administrator which of course is part of the groups as well, no difference.
  Active Directory is at 2008 R2 for domain and forest functional levels.
  I tried rejoining the new Exchange designated server to the domain
  I've installed RSAT-ADDS, the Managed API 4.0 and all the other windows roles via powershell
  There is a local domain controller that is a global catalog server on the new Exchange server subnet
  I tried running the Exchange Setup on a different server on the same subnet as where the active 2010 Exchange server resides as well as the FSMO AD role holder resides, this works fine. I even did the AD prep from there no problem, that made no difference
  on the datacentre server
  AD replicates fine between the FSMO role holder and the Datacentre (no errors in dcdiag or repadmin /showrepl)
  This error is in the event log:
  The description for Event ID 4027 from source MSExchange ADAccess cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  ExSetupUI.exe
  6724
  Get Servers for domain.local
  TopologyClientTcpEndpoint (localhost)
  3
  System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:890/Microsoft.Exchange.Directory.TopologyService. The connection attempt lasted for a time span of 00:00:02.0475315. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:890. ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:890
  at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
  at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
  at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
  --- End of inner exception stack trace ---
  Server stack trace:
  at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
  at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
  at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
  at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
  at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
  at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
  at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
  Exception rethrown at [0]:
  at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
  at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
  at System.ServiceModel.ICommunicationObject.Open()
  at Microsoft.Exchange.Net.ServiceProxyPool`1.GetClient(Boolean useCache)
  at Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception)
  the message resource is present but the message is not found in the string/message table

  So I decided to re-install the OS, worked perfectly now. Only difference from before would be:
  SCCM hasn't pushed SCEP 2012 to the new build of the same server yet
  The original server was installed in a different AD site and then it was physically mode and reassigned to an new AD site and subnet
  I might have installed the pre-reqs in a slightly different order (RSAT-ADDS, all the IIS etc things via powershell
  and then the UCM API 4.0. (saw few comments that the order of how you install them matters in other forums).
  10 or so Microsoft Windows updates haven't installed on the new OS build yet.
  Other than that, its identical. But if its not broken don't fix it, perhaps the above can help someone else though. 

• Windows Server 2012 - Backup failing with Exchange - The application will not be available for recovery from this backup. the consistency check failed

  Hi
  We have a Windows 2012 server with Exchange 2013, all is working fine except now i am getting issues with the backup.
  'Exchange - The application will not be available for recovery from this backup. the consistency check failed for the component Microsoft Exchange Server'
  I have checked the database all is fine, i have created a new db and move all mailbox;s over and then removed the old db, i have enabled circular logging and then disabled it, it seems no matter what i do i cannot get a full backup!
  i did have to restore the server once and the backups still worked for about 4 days after that and then stopped, i have also tried to remove and re add the backup role!
  i am stumped, any advice would be great!

  Hi
  Ok, i created a test db and tried to back it up right away, it failed, i did not add any mailbox's to it either. i got quite a few events in the windows logs, as well as the same event above i got the following:
  Log Name:      Application
  Source:        MSExchangeRepl
  Date:          21/01/2013 10:16:30
  Event ID:      2038
  Task Category: Exchange VSS Writer
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      NERDS-DC01.nerds.local
  Description:
  Microsoft Exchange VSS Writer backup failed. No log files were truncated. Instance 75754d0d-8dfe-4909-8beb-5a4f824254a9. Database 4843b37c-7b3c-42b2-8b57-1393615c2c15.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchangeRepl" />
      <EventID Qualifiers="32772">2038</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
      <EventRecordID>261645</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NERDS-DC01.nerds.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data>75754d0d-8dfe-4909-8beb-5a4f824254a9</Data>
      <Data>4843b37c-7b3c-42b2-8b57-1393615c2c15</Data>
    </EventData>
  </Event>
  AND
  Log Name:      Application
  Source:        MSExchangeRepl
  Date:          21/01/2013 10:16:30
  Event ID:      2038
  Task Category: Exchange VSS Writer
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      NERDS-DC01.nerds.local
  Description:
  Microsoft Exchange VSS Writer backup failed. No log files were truncated. Instance 75754d0d-8dfe-4909-8beb-5a4f824254a9. Database db5826f3-1029-4219-ad80-441a0e94537a.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchangeRepl" />
      <EventID Qualifiers="32772">2038</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
      <EventRecordID>261646</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NERDS-DC01.nerds.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data>75754d0d-8dfe-4909-8beb-5a4f824254a9</Data>
      <Data>db5826f3-1029-4219-ad80-441a0e94537a</Data>
    </EventData>
  </Event>
  and
  Log Name:      Application
  Source:        MSExchangeRepl
  Date:          21/01/2013 10:16:30
  Event ID:      2034
  Task Category: Exchange VSS Writer
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NERDS-DC01.nerds.local
  Description:
  The Microsoft Exchange Replication service VSS Writer (Instance 75754d0d-8dfe-4909-8beb-5a4f824254a9) failed with error FFFFFFFC when processing the backup completion event.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchangeRepl" />
      <EventID Qualifiers="49156">2034</EventID>
      <Level>2</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
      <EventRecordID>261649</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NERDS-DC01.nerds.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data>75754d0d-8dfe-4909-8beb-5a4f824254a9</Data>
      <Data>FFFFFFFC</Data>
    </EventData>
  </Event>
  and
  Log Name:      Application
  Source:        SPP
  Date:          21/01/2013 10:16:30
  Event ID:      16389
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NERDS-DC01.nerds.local
  Description:
  Writer Microsoft Exchange Writer experienced retryable error during shadow copy creation. Retrying...  More info: .
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="SPP" />
      <EventID Qualifiers="0">16389</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
      <EventRecordID>261650</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NERDS-DC01.nerds.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Microsoft Exchange Writer</Data>
      <Data>
      </Data>
      <Data>The writer experienced a transient error.  If the backup process is retried, the error may not reoccur. (0x800423F3)</Data>
      <Data>
      </Data>
      <Binary>00000000A5120000981200000000000042BEB7C511CAC619E59C92030000000000000000</Binary>
    </EventData>
  </Event>

• DPM 2012 R2 Rollup 4, Update Rollup 7 for Exchange Server 2010 SP3 backups with eseutil check fail

  Hi,
  It could be a coincidence, but ever since installing Update rollup 4 onto DPM 2012 R2, (which was at UR3 I believe) I haven't been able to complete an Exchange express full backup or consistency check with verification using Eseutil checked. If I have the
  eseutil check enabled I get the following error:
  Type: Consistency check
  Status: Failed
  Description: Data consistency verification check failed for LOGS of Exchange Mailbox Database Mailbox Database 2011112513 on SERVER.xxx. (ID 30146 Details: The process cannot access the file because it is being used by another process (0x80070020))
  Disabling the eseutil verification allows it to succeed, but I'm not happy to continue with that for too long.
  I've had this running for many years and this is the first real issue with exchange, its a single stand alone exchange database.
  Any ideas?
  Thanks,
  Andreas

  Andreas,
  the error is stating that something else has a handle to a file or files during the ESEUtil check.  Typically this is AV.  I have also seen where the Exchange limits are exceeded and that causes the issue. 
  Please ensure you have the DPM AV exclusions for the DPM server and I would advise the DPMRA.exe on the PS.  You can also trying disabling or removing AV as a test.
  DPM AV exclusions -
  http://technet.microsoft.com/en-us/library/hh757911.aspx
  You may also want to test using eseutil against the logs outside DPM and see if that fails with similar issue.  Let us know.  Thanks
  Regards, A.Nadar, This posting is provided &quot;AS IS&quot; with no warranties, and confers no rights.

• 407 proxy error occured while checking certificate revocation

  Hello,
  A 407 proxy auth error occured while checking the server certificate revocation.
  source code:
    var loader:URLLoader = new URLLoader();
    loader.load(new URLRequest("https://www.example.com/"));
  It works fine on Windows XP you know, but does not work on Vista and Win7
  under proxy authentication environment such as my office.
  Vista and Win7 were sending and receiving the following packets:
    1) client to squid: CONNECT www.example.com:443 HTTP/1.0
    2) squid to client: HTTP/1.0 200
    3) client to squid: Client Hello
    4) squid to client: Server Hello, Change Cipher Spec, Encrypted Handshake Message
    5) client to squid: Change Cipher Spec, Encrypted Handshake Message
    6) client to squid: GET http://ocsp.verisign.com/0123456789abcdef...
    7) squid to client: HTTP/1.0 407 Proxy Authentication Required
    8) client to squid: GET http://crl.verisign.com/foo.crl HTTP/1.1
    9) squid to client: HTTP/1.0 407 Proxy Authentication Required
  at 7), HTTP 407 error occured, but it is a correct response
  because the HTTP request at 6) does not have a Proxy-Authorization header.
  It seems that the request of 6) was sent by CryptoAPI.
  The only way to avoid this problem is that turn off the checkbox
  "Check for server certificate revocation*" in Internet Option of Internet Explorer.
  This problem occured in both AIR 1.5.3 and 2.0b.
  Does anyone have a similar problem ?

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• Database redundansy health check failed ( Exchange 2010 sp3 )

  Hello all ,
  One of the mailbox server have been getting the following error in in application , sometimes
  RealCopyQueu  is 256 and sometimes 0 and healthy  .
  Kindly share how can resolve it please

  Hi,
  I suggest we refer to the following article to troubleshoot this issue. Run
  Database Redundancy Check Script.
  http://social.technet.microsoft.com/Forums/exchange/en-US/b1cfbc4b-b17d-4148-adce-1a565d0f5746/exchange-2010-event-id-4113-msexchangerepl-health-check-failed
  Regards,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• Online certificate check failed

  I downloaded viber a while ago on my nokia 5230 and it was working perfectly. Recently when I opened viber on my phone I received a message saying that there s a new version of viber available on ovi store that I should get. Which I did. But when updating viber my phone says online certificate check failed. And the installation stops there. What does that mean? Can someone please help? This is highly frustrating. Almost smashed my phone because of that. Please help.
  Solved!
  Go to Solution.

  Tasha0190 wrote:
  I received a message saying that there s a new version of viber available on ovi store that I should get. Which I did.
  I guess, you used this item.
  Although scoobyman’s answer solves this issue, it opens up your Nokia to viruses and other bad applications. Signing makes sure, the author of the app is the one he claims to be. Signing makes the author responsible for what he does. If an author does something bad, his certificates gets revoked. OCSP makes sure, the signature is still good. Therefore, revert these two settings, after you installed an app you are trusting.
  Furthermore, an application from the Nokia Store should work with any setting. Any error or warning message is not acceptable and should be forwarded to the Nokia Store team for further analysis.
  a) Menu » Settings » Installations » Installations settings » Software installation
  The state of this item does not matter because Viber is signed correctly. Therefore, ‘Signed only’ works for Viber and is recommend.
  b) Menu » Settings » Installations » Installations settings » Online certificate check (OCSP)
  The state of this item does matter. Therefore, please, set is at least to ‘On’. In Wireshark, I checked that the certificate is not revoked but good. Therefore, I have no idea what is wrong here. It this not normal.
  Conclusion:
  Set ‘Online certificate check’ from ‘must be passed’ to ‘On’. If you still get the installation security warning ‘Unable to verify supplier’, report this to the Nokia Store team for further investigation.
  Change ‘Software installation’ from to ‘off’ only when you are absolutely trusting that app. Revert ‘Software installation’ to ‘signed only’ after the installation of that single particular app.

• How can you set Firefox to, or tell if FF is always checking for certificate revocation?

  I am anticipating a number of certificate revocations related to the heartbleed voulnerability, and would like to be able to check whether Firefox is checking for revocation, and tell it to if not.

  For this heartbleed issue you can also temporarily disable OCSP Stapling by setting the <b>security.ssl.enable_ocsp_stapling</b> pref to false on the <b>about:config</b> page.<br />
  Make sure to check in a few days if you still need this workaround and if necessary reset the pref to true.