Microsoft KB Archive/891510

= Clients receive a &quot;500 Server&quot; error message if a Web server requires a Certificate Revocation List in ISA Server 2004 =

Article ID: 891510

Article Last Modified on 3/2/2005

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
If you use Microsoft Internet Security and Acceleration (ISA) Server 2004 to publish a secure sockets layer (SSL) Web site of a Web server, clients may receive the following error message:

Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)



CAUSE
This problem occurs if the following conditions are true:
 * Certificate Revocation List (CRL) checks are enabled in ISA Server 2004. For additional information about how to enable CRL checks in ISA Server 2004, see the &quot;More Information&quot; section later in this article.
 * SSL Client Certificate authentication is enabled on the Web Publishing Rule. For additional information about how to enable SSL Client certificate authentication in ISA Server 2004, see the &quot;More Information&quot; section later in this article.
 * The root certificate where the SSL Server Certificate on the ISA Server 2004 Web Listeners is derived from has no CRL distribution points. For additional information about how to verify that the root certificate has no CRL distribution points, see the &quot;More Information&quot; section later in this article.



Service pack information
To resolve this problem, obtain and install the latest service pack for Internet Security and Acceleration Server 2004. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

891024 How to obtain the latest ISA Server 2004 service pack



WORKAROUND
To work around this problem, manually download the CRL, and then install it to the local computer certificate store.

Note Because the CRL is valid only for a limited time, you must periodically retrieve a new CRL.

To install a CRL to the local computer certificate store, follow these steps:  Log on to the computer as a member of the local administrators group. Open the Certificates snap-in for the computer account. To do this, follow these steps:  Click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears. In the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears. In the Available Standalone Snap-ins list, click Certificates, and then click Add.</li> Click Computer account, and then click Next.</li> Click Local computer, and then click Finish.</li> Click Close, and then click OK.</li></ol> </li> Expand Certificates, right-click Intermediate Certification Authorities, click All Tasks, and then click Import.</li> Follow instructions in the wizard to complete the installation.</li></ol>

<div class="moreinformation_section">

How to verify that the root certificate has no CRL distribution points

 * 1) Click Start, click Run, type mmc, and then click OK.
 * 2) On the File menu, click Add/Remove Snap-in.
 * 3) Click Add, click Certificates, click Add, click Computer account, click Next, click Finish, click Close, and then click OK.
 * 4) Expand Certificates, click Trusted Root Certification Authorities, and then click Certificates.
 * 5) Double-click the root certificate of your certificate chain where the ISA Server 2004 SSL Server certificate derives from.
 * 6) In the Details tab, verify that a CRL distribution points field not available.

How to configure CRL checks in ISA Server 2004

 * 1) To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) Expand your ISA Server, expand Configuration, and then click General.
 * 3) In the middle pane, click Specify Certificate Revocation.
 * 4) Click to select the Verify that incoming client certificates are not revoked check box, and then click OK.

How to enable Client Certificate authentication on ISA Server 2004

 * 1) To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) Expand your ISA Server, and then click Firewall Policy.
 * 3) In the middle pane, right-click the rule that you want to configure, and then click Properties.
 * 4) In the Listener tab, click Properties.
 * 5) In the Preferences tab, and then click to select the Enable SSL check box.
 * 6) Click OK two times.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbbug kbfix KB891510

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.