FAS Incorrect user name or Password - Certificate revocation server down

[Prakash Vedharathinam1709163492]

Using SAML with FAS, The setup was working fine for months and suddenly all the users started receiving Incorrect user name or Password  ( Happens only for  certain  machines booted through PVS)

 

Checking the event logs found  the below event on the servers

 

Event ID - 9  Kerberos,  The client has failed to validate the Domain Controller certificate for XXX.domain.net , the following error was returned from the certificate validation process: The revocation function was unable to check revocation because the revocation server was offline. 

 

Disabling Certification revocation check using the below registry fixed the problem. however our security team is not happy disabling the CRC

HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors    Type = DWORD
Value = 1 

 

Validated the CDP links configured in the User certificate & Domain controller Kerberos certificate from the VDA machines,

The CDP targets are opening fine from the browser and prompts to download the CRL List from the VDA

 

Certutil -urlfetch -verify <certificatename.cer> didn't return any problem

Checked Root & Intermediate Certificate, The Certificate chain looks good.

HKLM\software\Microsoft\EnterpriseCertificates\NTAuth\Certificates are similar to the working and non working servers.

 

FAS servers are applied through policy and have verified it through registry its getting applied properly, Even when the users attempt to logon triggers S106 log in the application event logs.

 

We have two sub ordinate CA servers, Using PKIview.msc from the SUB CA servers I can check the CDP points & validate them, Both Sub CA are up and running but found they cannot talk to each other. However when checked individually I found both of them to be up and running .   I don't know if the two Sub CA need to talk to each other for anything.

Probably the firewall between them is blocking the communication but don't I think this is the cause of the problem as we have another PVS image where FAS authentication works fine without disabling CRC. 

 

The only difference between the working and non working servers are below registry

 

HKLM\System\CurrentControlSet\Control\LSA  -> LMcompatiblitylevel is set to 3 in working machines and in non working machines its set to 5.

Yet to validate the registry so not sure changing it will make any difference.

 

Reverted the machines to the oldest Vdisk but no luck

 

Any thoughts on this or any one have encountered similar problems.

 

 

 

 

 

[Sasi Tzdaka]

Hi
did you fix it?