Vadims Podans
Vadims Podans 07.05.2011 02:36 (GMT+2) The case of SSTP VPN with public certificate and error 0x80092013

You have posted a trace against your CA certificate. But I need trace against SSTP SSL certificate. p.s. on a main page you can find contact information under my picture.

Robin Pichon-Varin
Robin Pichon-Varin 05.05.2011 22:27 (GMT+2) The case of SSTP VPN with public certificate and error 0x80092013

Thanks for your answer. Here is the output of the certutil command. I don't have your mail. Maybe it'd be easier to send you the results. ?metteur: CN=qo-PERSEPHONE-CA DC=qo DC=fr Objet: CN=qo-PERSEPHONE-CA DC=qo DC=fr Num?ro de s?rie du certificat : 2d04b1d625ddf2874ce57bd7aab578df dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=qo-PERSEPHONE-CA, DC=qo, DC=fr NotBefore: 03/05/2011 14:47 NotAfter: 03/05/2021 14:57 Subject: CN=qo-PERSEPHONE-CA, DC=qo, DC=fr Serial: 2d04b1d625ddf2874ce57bd7aab578df 97 1d 0c bb c2 fb da 94 41 f5 cb 9d c7 8e 84 3b b5 2a ac 44 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA de certificat ---------------- Pas d�URL "Aucun" Heure : 0 ---------------- CDP de certificat ---------------- Pas d�URL "Aucun" Heure : 0 ---------------- Protocole OCSP du certificat ---------------- Pas d�URL "Aucun" Heure : 0 -------------------------------- Exclude leaf cert: da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 Full chain: 97 1d 0c bb c2 fb da 94 41 f5 cb 9d c7 8e 84 3b b5 2a ac 44 ------------------------------------ Strat?gies d�?missions v?rifi?es: Tous Strat?gies d�application v?rifi?es: Tous Cert est un certificat d�autorit? de certification ERREUR : la v?rification de l�?tat de r?vocation du certificat feuille a renvoy? La fonction de r?vocation n�a pas pu v?rifier la r?vocation car le serveur de r?vocation ?tait d?connect?. 0x80092013 (-2146885613) CertUtil: La fonction de r?vocation n�a pas pu v?rifier la r?vocation car le serveur de r?vocation ?tait d?connect?. CertUtil: -verify La commande s�est termin?e correctement.

Vadims Pod?ns
Vadims Pod?ns 05.05.2011 03:54 (GMT+2) The case of SSTP VPN with public certificate and error 0x80092013

can you show me an output of the command 'certutil -verify -urlfetch file.cer', where file.cer is your VPN server certificate. You need to run this command on the public client (that throws error). You can email me results. The problem can be caused due of root certificate trust issue. By default corporate CAs (that are instelled in your AD forest) are automatically trusted by domain members, but not members outside your forest.

Robin Pichon-Varin
Robin Pichon-Varin 05.05.2011 02:07 (GMT+2) The case of SSTP VPN with public certificate and error 0x80092013

Hi, I think I've got the same or similar problem as described in your article. I've set up a SSTP server using the Microsoft Step by Step guide for SSTP Deployment released in 2007. I did all the steps twice and every time I try to connect my VPN from a public IP address, it fails with the message : "The revocation function was unable ....". On some blogs, the issue was to disable CRL check on Seven clients : no result at all. Furthermore, unlike your example, I've installed my own CA (ADCS) and I use a certificate which is delivered by this CA and not Thawte, Verisign or other Trusted provider. The connections to the SSTP Server are only successful when initiated from the LAN (the same as the SSTP server). Is my case concerned by this problem or have I got another problem with my CRL publishing ? And how do you explain that the certificate chain and connection validation succeed when connecting on the LAN and unsuccessful when connecting from outside the LAN.

Unknown Identity
Unknown Identity 03.05.2011 18:42 (GMT+2) PowerShell PKI module

PowerShell must not trow exception for non-existent properties, unless you try to assign a value for this property. As the result if property does not exist, IF statement returns False and do not process this scriptoblock.