I am attempting to setup SSTP. Here is the environment.
- Cert. Authority - Server 2003R2 - residing on the Exchange Server
- Domain controllers are Server 2003R2 as well
- VPN is Server 2012
- VPN client is Windows 7
I have spent about 1 1/2 days researching and troubleshooting this. If I ignore the crl, it will connect over SSTP, so port forwarding and firewall settings seem correct.
I have read the following post about CDP's and CRL's/delta and made some modifications to the CA server but it is still not working and still get the 80092013 error. http://social.technet.microsoft.com/Forums/windowsserver/en-US/d8fe8fe7-8036-49c4-bf33-92ca28b9f863/win-7-sstp-vpn-client-fails-with-error-0x80092013-when-rras-certificate-issued-by-enterprise-ca?forum=winserversecurity
Below is the output to certutil -urlfetch -verify vpn.cer (which was ran on the vpn client laptop, on an external network)
Issuer:
CN=CA.mydomain.com
DC=mydomain
DC=Local
Subject:
CN=VPN.mydomain.com
Cert Serial Number: 4bb1df910002000001ba
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 2 Hours, 41 Minutes, 6 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 2 Hours, 41 Minutes, 6 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
NotBefore: 1/29/2014 12:07 PM
NotAfter: 1/29/2016 12:17 PM
Subject: CN=VPN.mydomain.com
Serial: 4bb1df910002000001ba
SubjectAltName: DNS Name=VPN.mydomain.com
Template: 1.3.6.1.4.1.311.21.8.7162773.12354232.4148156.5417495.11387803.206.13619044.6996949
fd 71 00 ea 70 17 d8 b2 9d 5e 76 3f 3b 27 97 b0 2a 3c eb b7
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55)
ldap:///CN=CA.mydomain.com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=Local?cACertificate?base?objectClass=certificationAuthority
Failed "AIA" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
http://CAserver.mydomain.local/CertEnroll/CAserver.mydomain.Local_CA.mydomain.com(2).crt
---------------- Certificate CDP ----------------
Verified "Base CRL (0992)" Time: 0
[0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl
Verified "Delta CRL (0992)" Time: 0
[0.0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (0992)" Time: 0
[0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 0992:
Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
ef 97 87 b3 50 75 1c cf 5c fe f5 df 2a 3a 8b 7f e9 3e 8a 7b
Delta CRL 0992:
Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
e9 3f ed 40 b8 0e 95 49 c5 e2 8f ca 7c 82 66 f1 99 c5 88 15
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=CA.mydomain.com, DC=mydomain, DC=Local
NotBefore: 5/17/2007 12:32 PM
NotAfter: 1/30/2019 11:35 AM
Subject: CN=CA.mydomain.com, DC=mydomain, DC=Local
Serial: 6be70935b971c19840ca54c62ca9a02f
Template: CA
8b 7b c1 ef 55 1a 1c 8a fd a0 e9 ae 01 05 4a 6a d8 25 ba 6c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL (0992)" Time: 0
[0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl
Verified "Delta CRL (0992)" Time: 0
[0.0.0] http://CA.mydomain.com/CertEnroll/CA.mydomain.com+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
5b a0 99 e3 ba 13 91 bf a4 6d 5d 7e fa ec 69 63 cc 90 67 73
Full chain:
5c 80 5e 69 49 d2 6a 81 bb be 29 50 31 17 50 dc fb 20 6c 75
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.8.2.2 IP security IKE intermediate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
I can also retrieve the CRL from http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl from the vpn client laptop
I appreacate any advice or pointers... I have really hit a wall here.
Thanks,
Sam