From time to time, I can't verify the expiration of my client certificate on IIS.

I have a IIS web server and a CA(AD CS) server built on a 2008R2 virtual machine.
I require a client certificate in order to access the web server.
It works very well but FROM TIME TO TIME, a 403 error code is returned.
According to the trace log(FailedReqLogFiles), a 0x80092013 error occurs.
Once this 403 error occurs, it last for about an hour and then everything goes back to normal.
In order to find out what is the problem, I have done setup:
- CRL has a publication time of 1 hour
- (Delta CRL) has a publication time of 30minutes.
also:
- Both web server and CA server are not on a domain but a workgroup
- The CA certificate is registered on the web server & client on the root & intermediate certificate registrar.
- Both setups are patched to the latest windows update
As far as I've checked the log:
- on the web server log(source: CAPI2), there is an event id 53 at almost every hour for both the CRL & delta CRL
but before the problem occurs the event id 53 is only reported on the delta CRL and nothing on the CRL.
- By the way, System32\config\systemprofile\AppData\LocalLow\Microsoft\X509Objects, the .crl file for the problematic update is only present on the delta CRL.
- On the CA server's IIS access log, there is just the delta CRL access that is registered.
- Below is the log on the CA server IIS's access log (XXX-CA is for anonymous sake):
2014-04-16 10:51:34 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
2014-04-16 10:51:39 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
2014-04-16 11:52:05 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 265
2014-04-16 12:52:22 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
2014-04-16 12:52:28 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
- I think that the 403 error is due to the fact this CRL is not getting reached but why would this happen?
- Is there an other way than to restart the OS in order to clear this problem in a shorter time than 1 hour?
side note:
- this problem happens on the client setup too.
- the log is shorten but if there is any filter to apply to get better information, please tell me.
I would appreciate any helps on this matter!
nb:
this is a translation from a Japanese text.

Hi,
The error message will occur if IIS cannot download CRLs of the client certificate, in other words, if the CA is shut down or there are network connectivity issues between web server and CA when Internet Information Services try
to download the client certificate’s CRL.
Therefore, please make sure that there is no network connectivity issue between the web server and CA, you can
find the IP address of the problem CDP server then add an entry to the HOSTS file on the IIS computer.
Here are some related KB articles below I suggest you refer to:
IIS returns HTTP "403.13 Client Certificate Revoked" error message although certificate is not revoked
http://support.microsoft.com/kb/294305/en-us
You receive a "403.13 client certificate revoked" error message when you connect to a computer that is running Windows Server 2003 and Internet Information Services 6.0
http://support.microsoft.com/kb/884115/en-us
Best Regards,
Amy

Similar Messages

  • How can I check the expiration date of a Certificate Keychain from terminal?

    Hello, I am writing a bash script to alert me when my corporate certificates are about to expire. How can I check the expiration date of a certificate in keychain? I'm running Mac OS 10.6.8 on a newer MacBook pro with full admin rights.
    Specifically I will be checking three certs: a Root Authority, Issuing Authority, and a user cert (Identity).
    I was exploring the Security and Openssl command line tools. But I can't seem to get the info I need.
    Any recommendations would be appreciated.
    Thank you!

    Anyone?

  • How many times can you install Lightroom 5? My problem is that I have saved my programs on C. To I have more space, I want to save my programs now on E. Can I now uninstall Lightroom and reinstall from C to E? Can I use the same license code as the first

    Please help!!
    How many times can you install Lightroom 5? My problem is that I have saved my programs on C. To I have more space, I want to save my programs now on E. Can I now uninstall Lightroom and reinstall from C to E? Can I use the same license code as the first installation?

    Thank you for your answers, it helps me a lot.
    But sorry for my ignorance. I understand how you mean it, but I don't know how to do it. I'm scared to lose the settings/edits of the images.

  • I'm trying to extend my wifi network with time capsule but it can't find the existing wifi network

    I'm trying to extend my wifi network with time capsule but it can't find the existing BT wifi network even though it is there with a good signal strength. The Time Capsule is connected to a Netgear router via ethernet.

    You will need to start over on the setup of the Time Capsule as follows:
    Disconnect any Ethernet cables that might be connected to the Time Capsule, but leave it powered on
    Hold in the reset button on the back of the Time Capsule for 8-10 seconds and release. The reset button is located next to the AC power socket.
    Allow a full minute for the Time Capsule to restart to a slow, blinking amber light
    Connect the Ethernet cable from a LAN <--> port on the Netgear to the WAN "O" port on the Time Capsule.  The Ethernet cable must remain connected at all times.
    Click the WiFi icon at the top of the Mac's screen
    Look for a setting of New AirPort Base Station
    Click on Time Capsule
    The example below shows an AirPort Express. You will see Time Capsule on your screen.
    That will get the setup wizard going. It will take a minute to analyze the settings, then display a screen that looks like this, except you will see a picture of the Time Capsule
    Network Name..........Type in the exact name that the Netgear wireless is using
    Base Station.............Type in a name that you want to call the Time Capsule.  Use something short and simple. Mine is TC, for example
    Password..................Type in the exact password that the Netgear wireless requires
    Verify.........................Verify the Password again
    Click Next
    The setup wizard will configure everything for you automatically.  When you see the message of Setup Complete, click Done.
    That's it.  Now you have one big "extended" network.  Technically, this is called a "roaming" network.

  • I am using several Macs running Yosemite. I was recently "upgraded" to Xfinity's new cable modem which can support both 2.5Ghz and 5Ghz networks at the same time. Actually I can connect to the internet over both with a satisfactory bump in speed for

    I am using several Macs running Yosemite. I was recently “upgraded” to Xfinity’s new cable modem which can support both 2.5Ghz and 5Ghz networks at the same time. Actually I can connect to the internet over both with a satisfactory bump in speed for the Ghz. However when I connect to the 5Ghz the Time capsule disappears from the Airport Utility and claims to be Not Found. Is there something I have done wrong or just a Yosemite Teething Problem

    First restart your mac and try again.
    It could be
    that the router and the TC are interfering wirelessly with each other.
    You can check this by pressing the option key while clicking on the wireless icon on your screen
    Open Wireless Diagnostics
    enter your user password
    Press CMD 4 then Scan
    You will see all the wireless channels being used in your location and you can check if they are on the same channel
    Make the SSID for the TC simple like MyTC
    Set 5Ghz to auto
    Update the TC
    Try again
    Ted

  • My external hard drive is 'seen' by my iMac and I can go into the Finder and open files and folders. I am using the hard drive for Time Machine back up. However Time Machine says it can't find the drive. Same thing has happened with Final Cut Express.

    My new LaCie external hard drive is 'seen' by my iMac and I can go into the Finder and open files and folders. I am using the hard drive for Time Machine back up. However Time Machine says it can't find the drive.
    The same thing happened recently between Final Cut Express and my other LaCie external hard drive used as the Scratch disk. It fixed itself.
    I've run out of ideas. Help would be very much appreciated. Thanks.

    have you done some searches on FCPx and time machine? Is there a known issue with using a TM drive with FCPx? dunno but ...wait...I'll take 60 sec for you cause I'm just that kind of guy....   google...." fcpx time machine problem"  Frist page link 
    http://www.premiumbeat.com/blog/fcpx-bug-best-practices-for-using-external-hard- drives-and-final-cut-pro-x/
           You cannot have time machine backups on your hard drive if you intend to use it in FCPX.
    booya!

  • HT201441 My cousin's iphone  gave it to me but the bad thing is, it has a icloud and i can't access the phone. my cousin got amnesia so he didn't remember anything to this phone. I entered the password so many times so that i can't activate the icloud acc

    My cousin's iphone  gave it to me but the bad thing is, it has a icloud and i can't access the phone. my cousin is involved to a motorcycle accident and he got a amnesia so he didn't remember anything to this phone. I entered the password so many times so that i can't activate the icloud account. Please, I need to access this phone immediately for emergency purposes. You are my only hope. The phone model is a1429 Verizon (Factory Unlocked). P.S apology for my bad English.

    See Here  >  http://support.apple.com/kb/HT1808
    You may need to try this More than Once...
    Be sure to Follow ALL the Steps...
    jennfromla wrote:
    ... I have never plugged it into a computer...
    Note:
    All Data will be lost

  • I am living in Saudi Arabia and I wish to buy iPhone 6 with face time enabled. How can I confirm the new phone is face time enabled or not? In Saudi Arabia face time enabled iPhone 6 is available with some shops.

    Dear Sir,
    I am living in Saudi Arabia and I wish to buy iPhone 6 with face time enabled. How can I confirm the new phone is face time enabled or not? In Saudi Arabia face time enabled iPhone 6 is available with some shops.
    Rahul

    All legitimate iPhones sold in SA have Facetime removed on the order of the SA Government and it cannot be reinstalled
    any iPhone you purchase claiming to have FaceTime will be a grey import and may not function correctly as it will have been destined for another Country

  • Lync 2013 mobile client. Can't verify the certificate from the server. Please contact your support team

    We upgraded Lync Server 2010 to Lync 2013.
    Users are able to login on desktop clients but unable to connect on mobile client. We get following error message:
    Can't verify the certificate from the server.
    Please contact your support team

    Please check the Root CA is installed on your mobile device.
    Can you sign in externally?
    Please check you have updated the DNS records for Lync mobile autodiscover service.
    Lisa Zheng
    TechNet Community Support

  • Safari can't verify the identity of the website.........

    So yesterday I removed one stick of memory and added another (larger) stick of memory. This is the only thing I have done latly. I had surfed the net after changing ram and nothing seemed wrong. Today when I go to log in to my e-mail I get the warning that "Safari cant verify the identity of the website........" Found it a little odd. I went to another website where I am always logged in however this time I wasn't. When I clicked on the login button the safari warning appeared again. I checked two other sites that I frequent and am always logged into except now I'm not. It even appeared when I logged in to post this queston. Is this something to worrie about? Is there an virus or spyware I could have picked up somewhere? Is this a security issue? what's the problem? This is just too weird and I'm a little paranoid anyways.

    Hello Linc,
    April 13, 2015
    For years you've been a most valuable asset to me here at Apple.Com.
    I REALLY wish I could speak with you on the phone, because this is a little heavy.
    But for now I am TRYING to find the instructions/article that appears when you click the question mark "?".... that appears at the bottom of the drop down message which reads as follows....To see an image of it...the scroll halfway down and someone named WildBill posted an image of the drop down that is associated with the subject of this thread.....One of the 2 links below will show you a picture of the drop down and question mark.
    FIX for: "Safari can't verify the identity of the website" - certificate not valid
    Below is something that may or not be relative....but I just wanted you to see a photo of the drop down warning,...I think the one ABOVE is the one....the one below I'm not sure.....I am so tired right now.
    https://discussions.apple.com/thread/6983714?start=15&tstart=0
    Below is an article apple sent me but this is not what I was looking for
    OS X: Keychain Access asks for keychain "login" after changing login password - Apple Support
    There is a question mark that when you click on it sends you to an article/instructions on the side telling you what to do, but since I no longer get this pop up I can't find THAT article/instructions.
    I'm pretty sure the headline of the article read something like this.
    "What to do if Safari can't verify a security certificate as valid".....something like that.
    The reason I need to see those instructions again is I need to retrace my steps to make sure I didn't make a mistake when I was in Keychain Access.
    I called Apple and they didn't seemed interested in helping me.
    Perhaps you can.
    Thanks Linc,
    Apple Dreamer
    P.S....How do I know if you respond to this?.....Should of I left my phone number or email address?

  • Windows 7 "Windows can't verify the publisher of this driver software"

    I'm using windows 7 and I am trying to install itunes 10.5. I get "Windows can't verify the publisher of this driver software". When I select install this driver anyway, or don't install the driver, the install fails. I've disabled driver verifying in the bootup and also run the itunes installer as admin, at the same time. Still get the error. Help please.

    Thanks Oliver, but did not work. Didn't have Apple mobile devices installed because I get the same problem when I try to intall that program that I get when attempting to install itunes.

  • Why does iTunes/iPhone 4S insist it can't find a song on my PC or my phone when it is on both? This is resulting in me being unable to use the ringtones I created from these songs, but I can still play the songs.

    OK, so I'm clearly a newb. I thought if I asked a question, it would post, and now I'm being told to post a comment, so I'm asking the same question again. Sorry I sound like an idiot. I'm new to this apple/mac stuff.
    Why does iTunes/iPhone 4S insist it can't find a song on my PC or my phone when it is on both? This is resulting in me being unable to use the ringtones I created from these songs, but I can still play the songs.

    If you have added the ringtone file correctly to iTunes, it will appear under iTunes 'Tones' library.
    If you don't find Tones library in iTunes, go to iTunes menu EDIT/PRFERENCES under GENERAL tab, check the Tones Box under Library source to display Tones library in iTunes.
    iTunes accepts only m4r file as ringtone and has to be less than 40secs.

  • Safari keeps dropping down this error message when ever i try to log on to any website safai can't verify the identity of the website ( e.g.. any address ) and the drop down has three choices to click on or else you can't go foward., they are check certif

    Safari keeps dropping down this error message when ever i try to log on to any website safai can't verify the identity of the website ( e.g.. any address ) and the drop down has three choices to click on or else you can't go foward., they are check certificate ______ cancel ______ continue....  This thing is so annoying when trying to go somewhere i just want the error message to go away.

    In your Keychain under 'login' delete the VeriSign certificates and then quit and restart all browsers/itunes/app store.
    http://apple.stackexchange.com/questions/180570/invalid-certificate-after-securi ty-update-2015-004-in-mavericks

  • How can i detach the video from a clip so i can only use the audio when using imovie?

    how can i detach the video from a clip so i can only use the audio when using imovie?

    First, go to iMovie/Preferences and enable the Advanced Tools.
    Import the video clip into an iMovie Event. When you get ready to use it in an iMovie Project, select the clip in the Event and drag & drop it on top of a video or photo clip in the project at the place where you want it to begin. When the pop-up menu appears, choose Audio Only.

  • I am trying to copy and paste a story from a blog.  I can only view the first page on the Pages app.  How do I see the rest of the pages?

    I am trying to copy and paste a story from a blog.  I can only view the first page on the Pages app.  How do I see the rest of the pages?

    Thank you.  That helped in the first step.  I was able to copy text onto multiple pages.
    Now I can't get the pictures to copy.  How do I get my pictures to copy?
    Also once the blog page is on pages, how do i make changes to it?
    This my story and the page I am trying to copy.
    http://www.city-data.com/forum/tennessee/359683-going-off-grid-east-tennessee.ht ml
    Thanks so much
    Lisa(writing) and Mike trying to get it right.

Maybe you are looking for