I have a IIS web server and a CA(AD CS) server built on a 2008R2 virtual machine.
I require a client certificate in order to access the web server.
It works very well but FROM TIME TO TIME, a 403 error code is returned.
According to the trace log(FailedReqLogFiles), a 0x80092013 error occurs.
Once this 403 error occurs, it last for about an hour and then everything goes back to normal.
In order to find out what is the problem, I have done setup:
- CRL has a publication time of 1 hour
- (Delta CRL) has a publication time of 30minutes.
also:
- Both web server and CA server are not on a domain but a workgroup
- The CA certificate is registered on the web server & client on the root & intermediate certificate registrar.
- Both setups are patched to the latest windows update
As far as I've checked the log:
- on the web server log(source: CAPI2), there is an event id 53 at almost every hour for both the CRL & delta CRL
but before the problem occurs the event id 53 is only reported on the delta CRL and nothing on the CRL.
- By the way, System32\config\systemprofile\AppData\LocalLow\Microsoft\X509Objects, the .crl file for the problematic update is only present on the delta CRL.
- On the CA server's IIS access log, there is just the delta CRL access that is registered.
- Below is the log on the CA server IIS's access log (XXX-CA is for anonymous sake):
- Is there an other way than to restart the OS in order to clear this problem in a shorter time than 1 hour?
side note:
- this problem happens on the client setup too.
- the log is shorten but if there is any filter to apply to get better information, please tell me.
I would appreciate any helps on this matter!
nb:
this is a translation from a Japanese text.
I require a client certificate in order to access the web server.
It works very well but FROM TIME TO TIME, a 403 error code is returned.
According to the trace log(FailedReqLogFiles), a 0x80092013 error occurs.
Once this 403 error occurs, it last for about an hour and then everything goes back to normal.
In order to find out what is the problem, I have done setup:
- CRL has a publication time of 1 hour
- (Delta CRL) has a publication time of 30minutes.
also:
- Both web server and CA server are not on a domain but a workgroup
- The CA certificate is registered on the web server & client on the root & intermediate certificate registrar.
- Both setups are patched to the latest windows update
As far as I've checked the log:
- on the web server log(source: CAPI2), there is an event id 53 at almost every hour for both the CRL & delta CRL
but before the problem occurs the event id 53 is only reported on the delta CRL and nothing on the CRL.
- By the way, System32\config\systemprofile\AppData\LocalLow\Microsoft\X509Objects, the .crl file for the problematic update is only present on the delta CRL.
- On the CA server's IIS access log, there is just the delta CRL access that is registered.
- Below is the log on the CA server IIS's access log (XXX-CA is for anonymous sake):
2014-04-16 10:51:34 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218- I think that the 403 error is due to the fact this CRL is not getting reached but why would this happen?
2014-04-16 10:51:39 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
2014-04-16 11:52:05 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 265
2014-04-16 12:52:22 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
2014-04-16 12:52:28 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
- Is there an other way than to restart the OS in order to clear this problem in a shorter time than 1 hour?
side note:
- this problem happens on the client setup too.
- the log is shorten but if there is any filter to apply to get better information, please tell me.
I would appreciate any helps on this matter!
nb:
this is a translation from a Japanese text.