locked
Issue with CRL checking: 403 13 2148081683 RRS feed

  • Question

  • User-1617650022 posted

    Hello everyone,

    I have problems with server-side CRL control:

    I have some sites served by IIS on which access is made via digital certificate. On these sites is set anonymous authentication (the authentication is done by the application), so IIS is passing through the certificate, but at random intervals it happens that a number of users can not access through their certificate (they do not arrive at the application, they are blocked by the IIS).

    On the client they receive a 403 Forbidden, in the IIS logs I find the error code "403 13 2148081683"

    During these periods of "darkness" (which does not happen for all CA configured, so not all users are cut off, only some groups, sometimes not even all users of the same CA, which would make you to think about some problem on client side, but deactivating the CRL check on server side, all users pass), if I try to manually download the CRL through the CDP of the CA, I can always download the file, but users still can not access (of course I checked some spot certificate verifying that they were not actually revoked).

    We have already verified any possible connectivity problem (no proxy, public dns, firewall, routing, everything ok)

    Activating the CAPI2 log I find the most disparate errors, often I find the error "The revocation function was unable to check revocation because the revocation server was offline", but I don't understand the reason why, because if I try to manually download the CRL I can always download it

    I hope someone can help me. Thank you.

    Roberto

    Monday, February 25, 2019 8:08 AM

All replies

  • User-848649084 posted

    Hi Roberto,

    Firstly check that you pass valid certificate means a certificate have its CRL and IIS can access those CRL Url in order check certificate is revoked or not.If it attach invalid certificate with expired date and time or invalid CRL or IIS is unable to reach CRL you might get this error.

    To solve the issue export certificate from your personal certificate store,example an SCCM client certifiate to your your C: drive. open command prompt with proper rights and type:

    certutil -url “C:\Certificate.cer”

    Check if the CRL can be varified.Open the CRL manually and check that BASE and DELTA are not expired. In this case, the AD CS service wasn’t started and the Delta CRL’s were not up-to-date. The service may have been crashed because the startup type was set to “Automatic”.

    You could prefer below article for more detail:

    Regards,

    Jalpa.

    Tuesday, February 26, 2019 2:26 AM