Publish CRL on a Web Server in another domain

Hi

I have two domains, domain A and domain B no trust what so ever between them. Our corparate network belongs to domain A, domain B is a domain for remote users.

For example we have Exchange in Domian A and Domina B users can logon to OWA (NOT Outlook) and now we would like to test S/Mime. We have a CA in domain A and one in Domain B, all clients in Domain A trusts domain B´s root certificate.

I have a webserver in domain B where I publish CRL for domain B, port 80 is open and I see that domain A´s Outlook tries to check CRL for domain B users.

Error message: Warning:
The Certificate Revocation List needed to verify the signing certificate is either unavailable or it has expired.
Signed by user1@domain.com using RSA/SHA1 at 9:22:56 PM 9/18/2013.

From CMD in Domain A I tested following on a user certificate from domain B: certutil -verify -urlfetch adm.cer

Result:

Issuer:
    CN=XXXX-CA
    DC=Domain
    DC=Com
Subject:
    E=Administrator@mydomain.se
    CN=Administrator
    CN=Users
    DC=Domain
    DC=Com
Cert Serial Number: 13b046c3000000000015

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 49 Minutes, 54 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 49 Minutes, 54 Seconds

CertContext[0][0]: dwInfoStatus=902 dwErrorStatus=0
  Issuer: CN=XXXX-CA, DC=Domain, DC=COM
  NotBefore: 9/19/2013 2:02 PM
  NotAfter: 9/19/2014 2:02 PM
  Subject: E=Administrator@mydomain.se, CN=Administrator, CN=Users, DC=domain, DC=com
  Serial: 13b046c3000000000015
  SubjectAltName: Other Name:Principal Name=Administrator@domain.com, RFC822 N
ame=Administrator@domain.com
  Template: User
  01 76 1b d6 44 e8 c6 30 2e 75 d7 cf a0 9e e0 4a 84 96 aa f7
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0
    Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234)
    ldap:///CN=XXXX-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services
,CN=Configuration,DC=domain,DC=com?cACertificate?base?objectClass=certificatio
nAuthority

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234)
    ldap:///CN=XXXX-CA,CN=WWWserver,CN=CDP,CN=Public%20Key%20Service
s,CN=Services,CN=Configuration,DC=domain,DC=com?certificateRevocationList?base
?objectClass=cRLDistributionPoint

  Verified "Base CRL (7d)" Time: 0
    [1.0] http://wwwserver.domain.com/CertEnroll/XXXX-CA.crl

  Failed "CDP" Time: 0
    Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234)
    [1.0.0] ldap:///CN=XXXX-CA,CN=WWWserver,CN=CDP,CN=Public%20Key%2
0Services,CN=Services,CN=Configuration,DC=domain,DC=com?deltaRevocationList?ba
se?objectClass=cRLDistributionPoint

  Verified "Delta CRL (7d)" Time: 0
    [1.0.1] http://wwwserver.domain.com/CertEnroll/XXXX-CA+.crl

  Verified "Delta CRL (7d)" Time: 0
    [1.0.2] http://wwwserver.domain.com/CertEnroll/XXXX-CA+.crl

  ----------------  Base CRL CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234)
    ldap:///CN=XXXX-CA,CN=WWWserver,CN=CDP,CN=Public%20Key%20Service
s,CN=Services,CN=Configuration,DC=domain,DC=com?deltaRevocationList?base?objec
tClass=cRLDistributionPoint

  OK "Delta CRL (7d)" Time: 0
    [1.0] http://wwwserver.domain.com/CertEnroll/XXXX-CA.crl

  OK "Delta CRL (7d)" Time: 0
    [2.0] http://wwwserver.domain.com/CertEnroll/XXXX-CA.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 7d:
    Issuer: CN=XXXX-CA, DC=domain, DC=com
    af 8e 31 53 69 2e a6 f1 c8 99 bc e4 e4 31 19 ad de 4f cd 94
    Delta CRL 7d:
    Issuer: CN=XXXX-CA, DC=domain, DC=com
    2f 2b ad 7f 96 b4 45 20 88 ac 82 40 61 a3 54 87 cb bf f7 df
  Application[0] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
  Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=XXXX-CA, DC=domain, DC=com
  NotBefore: 5/17/2013 2:36 PM
  NotAfter: 5/17/2018 2:46 PM
  Subject: CN=XXXX-CA, DC=domain, DC=com
  Serial: 6dd10b545a9365b642afd71305310274
  8e 1f e0 e7 43 3b 43 00 c2 06 10 f5 10 0f 4a d1 f9 4f 67 b9
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  6b 57 07 15 da 47 88 2d 12 63 53 8e 78 fb 6e 38 84 a2 3b 02
Full chain:
  8a 46 cd 2a 13 00 e9 c2 19 1d bf f4 a5 e5 21 4b 3d fe 26 47
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.311.10.3.4 Encrypting File System
    1.3.6.1.5.5.7.3.4 Secure Email
    1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully

Can someone tell me why it doesn´t work?

Br

Mikael