if you have this error (actually warning) in Skype for Business FrontEnd, you most probably can ignore it.
Investigation:
check settings.xml in C:\ProgramData\Windows Fabric\GVASFE1.domain.com\Fabric\Fabric.Config.1.0.0
you can see
Parameter Name="IgnoreCrlOfflineError" Value="true"
Parameter Name="CrlCheckingFlag" Value="3221225476"
So the setting is set to ignore the error. The description of CrlCheckingFlag you can find in
C:\Program Files\Skype for Business Server 2015\Server\Core\ClusterManifest.Xml.Template
CrlCheckingFlag setting follows the rest of the Lync Server components (sipstack, web) which
set the following flags:
CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL =0x00000004 | // do not go on the wire for cert retrieval
CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY =0x80000000 | // do not go on the wire for cert revocation check
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT=0x40000000
0xC0000004=3221225476 (unsigned int)
as you see CrlCheckingFlag equal 0xC0000004
means - check cache only - exclude root - we must be checking only intermediate CRL and if it is locally cached.
to check local cache (of current user) use command
certutil -urlcache CRL
to chache a specific CRL - use command
certutil -f -urlfetch -verify gvasfe1.cer
where cer is a file with a certificate
refer https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
Fabric run as network service, so you can check that also, but it would require hacking: https://windoh.wordpress.com/2011/04/23/crl-caching-in-windows-and-a-little-bit-about-ocsp-caching-too/
Summary: as you can see SFB Windows fabric is set up to ignore the error and continue, the error may come from issues retrieving CRL or absence of CRL in local cache. In most cases you should also ignore this error. If you want to fix it (not recommended), replace in ClusterManifest.Xml.Template %CRLCHECKINGFLAG% as 0 and reboot
No comments:
Post a Comment