https://worldofeuc.com logo
Join Slack
Powered by
This message was deleted.
# citrix-vad
s
This message was deleted.
j
I have disabled the revocation check in a bid to get the going again but its still not grafting... I also see this:
The FAS servers/console looks healthy, IVe tried re-authorising etc, all green... ideas welcome 🙂
s
Check any patches applied
j
No updates.. by the looks it started happening at 2pm on Friday...
s
Any cert update or security hardening?
j
No changes... apparently..
The revok check errors have stopped since I disabled the check... but users still get the logon prompt when launching and app/desktop..
Got this from the VDA... its a revocation issue for sure...
d
Do you have access to the CA? If yes, check pkiview.msc for errors regarding CRL and CDP publishing
g
The revocation check is performed in every stage where a certificate is used. We had the same issue after the server that hosted the CRL was moved and the firewall wasn't updated.
You can open the intermediate cert and find the URL used for CRL check there, and see if there any respons from that server via a web browser or similar.
j
Awesome... thanks lads will have a look 🙂
Odd.. I confirmed the revocation http location... I can dl the revoc file/list from the FAS servers and VDAs..
g
Is that URL using http or https? If https, maybe the certificate has expired?
h
CRL / AIA / OCSP needs to be golden, you can't just change it and expect it to update, every cert needs to be renewed then for revocation checks to be active. HTTP is the normal standard for this and if it's still default everything gets bloated in ADDS
g
Also, check the event log on the CA server, that might contain more details.
h
re-publish your CRL and also do a new pkiview.msc and revoke the CAexchange cert so that it gets an update and will not use the cache
j
Cool... FAS servers are configured as Subordinate CA... does it need to be the root? I will have a look and see if anything of interest..
h
no that doesn't make any difference it can be a subordinate or root
👍 1
is your root still looking at a active CRL as well?
that one also if you do it correctly needs to be turned on again lets say every year for CRL publish (if you have an offline root ca)
j
ahh ok.. the root is offline and has been since FAS was setup.. and I think it was about a year ago..
That would make sense..
h
I think you need to turn on the root and publish/copy the CRL file to your CRL location
j
Got it... the root is online but Ive not got access... trying to get someone that does, cheers
h
but a pkiview.msc should also show you that
the root will have a red thingy cross on it's CRL
j
Yup.. thats it Henry... I can see it expired on Friday...
h
yeah.. and it's also a bit yucky with file locations being published as a valid CRL
normally you don't want to see anything in there besides a valid HTTP location
g
Tip: leave a task for your self in the calendar 11 months from now to update this.. 🙂
1
j
Thanks folks, so in order to fix this I will need access to the Root yeah?
h
yes correct, they need to turn on the root
publish a new CRL file under the revocation tab
copy that out and put it on the location where it servers the CRL for clients
validate the entire flow with a pkiview.msc afterwards
and of course turn off the root
j
Got it Henry... this could be affecting other services in addtion to Citrix right?
Citrix is all Ive heard of at this stage...
h
and if you want some consultancy hours advise to use a cleaner root setup 🙂 with HTTP CRL only and subordinate the same with addendum for OCSP
🍻 1
yes this would impact all CA related certificate and revocation services
and especially smartcard logon / kerberos things
I would think Wifi controllers would have some issues as well
j
Of course their admin that normally managed this is off! 😛
🥲 1
c
Same thing happened to us a few months ago the offline Root CA crl expired had to republish it and copy to the subordinate CA
j
Thanks, John. I was looking at Aarons article earlier... managed to get it sorted. I had to re-enrol domain auth on the DCs but that was probably due to me reauthing/deploying templates etc before I realised it was the CRL... all good now, cheers 🙂
👍 2
5 Views
Open in Slack
PreviousNext
Powered by