Exchange 2013 Certificate Revocation Failed

Hi everyone,

I want to share with you my personal experience in troubleshooting an interesting problem where Exchange 2013 management interface shows the status of a certificate that I had imported as (Revocation Status Failed).

So why this is happening? When Exchange 2013 tries to enumerate certificates on the computer store for you in the Exchange Admin Center, it will try to check the revocation status for each certificate to make sure the certificate is Valid. To do that, it will try to download the CRL (Certificate Revocation List) file from the internet by looking at the certificate  (CRL Distribution Points) attribute of that certificate.

CRL Certificate Exch2013

This CRL file download is happening in the background when the server is restarted and using the SYSTEM account. So the SYSTEM account is trying to download something from the internet in the background, and for sure it will use the proxy settings in the IE that is configured for SYSTEM account, which is auto detect proxy settings.

Since the server is not configured to use DHCP, then the auto discover process will go to DNS and search for WPAD.dnssuffex.com ,  for example (wpad.contoso.com), and since I have such record in my DNS pointing to my proxy, then the SYSTEM account is trying to connect to my proxy, perhaps authenticate and then tries to download the CRL file.

This means also that each time the SYSTEM account in the Exchange 2013 needs to connect to internet, it will do that via my proxy which is something I do not like. I would rather like to have a direct connection from Exchange 2013 to the internet, especially if we are talking about hybrid configuration and Office 365.

How to solve this issue?

I started to think, if i could log on to the computer using SYSTEM account, open the IE and remove the Auto-detect proxy setting, then the problem would be solved and i will have a direct internet connectivity that will eliminate any complexity or authentication requirements on my proxy.

So i went to one of my favorite sites [Windows SysInternals] ,  and i have downloaded the PsExec tool, and copied it to the C:\ drive of my Exchange server. This tool has the option to initiate an executable remotely or locally using local system account.

The idea is that I want to run CMD using SYSTEM account interactively and then open IE from there. Once IE is opened in front of me using SYSTEM account, i can then remove the proxy auto-detect chec kbox from there. To do that, I logged on as a local administrator to one of my Exchange 2013 where i have PsExec copied on the C drive, and then I run:

psexec -i -d -s cmd

CRL Certificate Exch2013 2

This will open a new CMD window for me. From that window, I can type WhoAmI and I can see that the CMD window is running under the SYSTEM account.

CRL Certificate Exch2013 3

Now, I will open IE using SYSTEM context.

CRL Certificate Exch2013 4

and from there I will remove the auto-detect proxy settings, so that SYSTEM will not use proxy when connecting to the internet to fetch the CRL of my certificate.

CRL Certificate Exch2013 5

7 comments on “Exchange 2013 Certificate Revocation Failed

  1. Great post! My exchange server system account was autodetecting my proxy via wpad.dat (via DNS, not DHCP), and exchange server was unable to verify the cert. Now it works. Thank you.

  2. Does this also aply ife there is no wpad record in dns?
    I have a direct Access to the Internet.
    There is no need to authenticate through a proxy server.
    My Certificate Status is Revocation check failed.

    in the mean time i will try this.

  3. Excellent information. I was about to import the CRL manually when I came across your post. PsExec to the rescue yet again…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s