Revocation of the SSL certificate failed for AAD authentication

Published 04-20-2021 01:45 AM 1,299 Views
Microsoft

User may get the following security alert on certificate resigning SSL when trying to connect with any of the AAD options from SSMS:

 

"Revocation information for the security certificate for this site is not available. Do you want to proceed?"

Yes \ No \ View Certificate
 

MelaniaNitu_0-1618904474122.png

 

This happens when a client using Internet Explorer (IE) sends a request to an Online Certificate Status Protocol (OCSP ) server to verify if the certificate has been revoked. If the IE browser is configured to expect an OCSP response and it's not able to determine the revocation status of the certificate, the user gets prompted with the above security alert.  Chrome is not affected because it disabled OCSP checks by default in 2012, due to latency and privacy issues.

 

Mitigation steps 

To fix Server certificate revocation failed problems, a workaround is to turn off this setting - "Check for server certification revocation" in IE options, which will disable this for all OAUTH negotiations system-wide. To disable this option, perform the following steps.

  • Type gpedit.msc in windows search and click OK.
  • Navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page or Internet Explorer > Tools > Internet options > Advanced
    check for server certificate revocationcheck for server certificate revocation
  • Uncheck "Check for server certificate revocation"
  • Reboot the server.  *IMPORTANT: It takes effect after you restart your computer.

OPTIONAL steps:

  • Remove CRL/OCSP disk cache entries on the client machine. From the Windows command line run:
    > certutil -urlcache CRL delete
    > certutil -urlcache OCSP delete​
  • Perform "Clear SSL state" in Internet Explorer > Internet Options > Content.
  • On the client machine run gpupdate /force in the CMD window to force update the group policy. You can apply the GPO under user configuration, so the corresponding registry change will be under HKEY_CURRENT_USER.

  • Open Registry Editor and go to the path HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation with REG_DWORD 0

  • Open IE and check the setting, it should be disabled.

 

Note: When connecting through ADFS, third party MFA enforce some policies in ADFS. Usual process for integrated authentication is that ADFS receives service ticket generated by on-prem ticket granting server, creates signed SAML token and sends it to AAD. In some cases when using third party tools, ADFS refuse service ticket. The solution is to disable third-party MFA for accounts accessing the database and enforce Azure universal MFA. Any third party tools for MFA authentication may currently not be supported by all tools and applications. 

 

Troubleshooting AAD connectivity issues

 

Open a PowerShell with administrative rights from the troublemaking machine and run below commands.

 

#OPTION 1 - bypass SQL Azure DB to see if your communication works with Azure AD from your machine

 

> Install-Module MSOnline 
> Import-Module MSOnline 
> $Msolcred = Get-credential 
# use your federated credenaials (i.e john@contoso.com + password) 

> Connect-MsolService -Credential $MsolCred

 

and check the federated authentication group

 

> Get-MsolGroup -MaxResults 10 –Searchstring  mygroup@contoso.com | format-list   
# displays group info as it is represented in Azure AD (i.e. mygroup or check the individual user) 

> Get-MsolUser -UserPrincipalName john@contoso.com | format-list

 

You should see what is stored in Azure AD under a specific user or group alias/name.


#OPTION 2 - Check the minimum connectivity requirement

 

Check connectivity to AAD endpoint for Password and Integrated authentication:

 

> tnc login.windows.net  -port 443

 

Check connectivity to AAD endpoint for Universal with MFA authentication: 

 

> tnc login.microsoftonline.com -port 443

 

 

Note that additional endpoints might be required, depending on AAD and on-premises AD setup. Capturing and debugging network or Fiddler traces is what usually helps in those situations.

 

Additional points to check - Make sure the firewall configuration is correctly set up

  • Check your firewall settings and make sure it allows communication with the above AAD endpoints: login.windows.net and login.microsoftonline.com.
  • Ensure the AAD required ports are not blocked by the firewall.

Note: The above error is mostly triggered when using SSMS. Azure Data Studio doesn’t have this issue because it has a custom MFA implementation that doesn't use an old embedded IE browser.

%3CLINGO-SUB%20id%3D%22lingo-sub-2278773%22%20slang%3D%22en-US%22%3ERevocation%20of%20the%20SSL%20certificate%20failed%20for%20AAD%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2278773%22%20slang%3D%22en-US%22%3E%3CP%3EUser%20may%20get%20the%20following%20security%20alert%20on%20certificate%20resigning%20SSL%20when%20trying%20to%20connect%20with%20any%20of%20the%20AAD%20options%20from%20SSMS%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23993300%22%3E%22Revocation%20information%20for%20the%20security%20certificate%20for%20this%20site%20is%20not%20available.%20Do%20you%20want%20to%20proceed%3F%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23993300%22%3EYes%20%5C%20No%20%5C%20View%20Certificate%3C%2FFONT%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MelaniaNitu_0-1618904474122.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274006i1631D2835AF00A21%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22MelaniaNitu_0-1618904474122.png%22%20alt%3D%22MelaniaNitu_0-1618904474122.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20happens%20when%20a%20client%20using%20Internet%20Explorer%20(IE)%20sends%20a%20request%20to%20an%20Online%20Certificate%20Status%20Protocol%20(OCSP%20)%20server%20to%20verify%20if%20the%20certificate%20has%20been%20revoked.%20If%20the%20IE%20browser%20is%20configured%20to%20expect%20an%20OCSP%20response%20and%20it's%20not%20able%20to%20determine%20the%20revocation%20status%20of%20the%20certificate%2C%20the%20user%20gets%20prompted%20with%20the%20above%20security%20alert.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EChrome%20is%20not%20affected%20because%20it%20disabled%20OCSP%20checks%20by%20default%20in%202012%2C%20due%20to%20latency%20and%20privacy%20issues.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMitigation%20steps%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20fix%20Server%20certificate%20revocation%20failed%20problems%2C%20a%20workaround%20is%20to%20turn%20off%20this%20setting%20-%20%22Check%20for%20server%20certification%20revocation%22%20in%20IE%20options%2C%20which%20will%20disable%20this%20for%20all%20OAUTH%20negotiations%20system-wide.%20To%20disable%20this%20option%2C%20perform%20the%20following%20steps.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EType%20%3CSTRONG%3Egpedit.msc%3C%2FSTRONG%3E%20in%20windows%20search%20and%20click%20OK.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20%3CSTRONG%3EComputer%20Configuration%20%26gt%3B%20Administrative%20Templates%20%26gt%3B%20Windows%20Components%20%26gt%3B%20Internet%20Explorer%20%26gt%3B%20Internet%20Control%20Panel%20%26gt%3B%20Advanced%20Page%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EInternet%20Explorer%20%26gt%3B%20Tools%20%26gt%3B%20Internet%20options%20%26gt%3B%20Advanced%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture1.png%22%20style%3D%22width%3A%20390px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274007i76F85BBEEDF9A038%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture1.png%22%20alt%3D%22check%20for%20server%20certificate%20revocation%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3Echeck%20for%20server%20certificate%20revocation%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUncheck%20%3CSTRONG%3E%22Check%20for%20server%20certificate%20revocation%22%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EReboot%20the%20server.%26nbsp%3B%26nbsp%3B*%3CSTRONG%3EIMPORTANT%3C%2FSTRONG%3E%3A%20It%20takes%20effect%20after%20you%20restart%20your%20computer.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EOPTIONAL%20steps%3A%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERemove%20%3CSTRONG%3ECRL%2FOCSP%3C%2FSTRONG%3E%20disk%20cache%20entries%20on%20the%20client%20machine.%20From%20the%20Windows%20command%20line%20run%3A%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3E%26gt%3B%20certutil%20-urlcache%20CRL%20delete%0A%26gt%3B%20certutil%20-urlcache%20OCSP%20delete%E2%80%8B%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLI%3E%0A%3CLI%3EPerform%20%22%3CSTRONG%3EClear%20SSL%20state%3C%2FSTRONG%3E%22%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EInternet%20Explorer%20%26gt%3B%20Internet%20Options%20%26gt%3B%20Content%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSPAN%3EOn%20the%20client%20machine%20run%20%3CSTRONG%3Egpupdate%20%2Fforce%3C%2FSTRONG%3E%20in%20the%20CMD%20window%20to%20force%20update%20the%20group%20policy.%20You%20can%20apply%20the%20GPO%20under%20user%20configuration%2C%20so%20the%20corresponding%20registry%20change%20will%20be%20under%20HKEY_CURRENT_USER.%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EOpen%20Registry%20Editor%20and%20go%20to%20the%20path%20HKEY_CURRENT_USER%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%5CCurrentVersion%5CInternet%20Settings%5CCertificateRevocation%20with%20REG_DWORD%200%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EOpen%20IE%20and%20check%20the%20setting%2C%20it%20should%20be%20disabled.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20When%20connecting%20through%20ADFS%2C%20third%20party%20MFA%20enforce%20some%20policies%20in%20ADFS.%20Usual%20process%20for%20integrated%20authentication%20is%20that%20ADFS%20receives%20service%20ticket%20generated%20by%20on-prem%20ticket%20granting%20server%2C%20creates%20signed%20SAML%20token%20and%20sends%20it%20to%20AAD.%20In%20some%20cases%20when%20using%20third%20party%20tools%2C%20ADFS%20refuse%20service%20ticket.%20The%20solution%20is%20to%20disable%20third-party%20MFA%20for%20accounts%20accessing%20the%20database%20and%20enforce%20Azure%20universal%20MFA.%20Any%20third%20party%20tools%20for%20MFA%20authentication%20may%20currently%20not%20be%20supported%26nbsp%3Bby%20all%20tools%20and%20applications.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETroubleshooting%20AAD%20connectivity%20issues%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EOpen%20a%20PowerShell%20with%20administrative%20rights%20from%26nbsp%3Bthe%20troublemaking%20machine%20and%20run%20below%20commands.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%23OPTION%201%20-%26nbsp%3B%3C%2FSPAN%3Ebypass%20SQL%20Azure%20DB%20to%20see%20if%20your%26nbsp%3Bcommunication%20works%20with%20Azure%20AD%20from%20your%20machine%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%26gt%3B%20Install-Module%20MSOnline%20%0A%26gt%3B%20Import-Module%20MSOnline%20%0A%26gt%3B%20%24Msolcred%20%3D%20Get-credential%20%0A%23%20use%20your%20federated%20credenaials%20(i.e%20john%40contoso.com%26nbsp%3B%2B%20password)%20%0A%0A%26gt%3B%20Connect-MsolService%20-Credential%20%24MsolCred%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20check%20the%20federated%20authentication%20group%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%26gt%3B%20Get-MsolGroup%20-MaxResults%2010%20%E2%80%93Searchstring%26nbsp%3B%26nbsp%3Bmygroup%40contoso.com%26nbsp%3B%7C%20format-list%26nbsp%3B%26nbsp%3B%20%0A%23%20displays%20group%20info%20as%20it%20is%20represented%20in%20Azure%20AD%20(i.e.%26nbsp%3Bmygroup%26nbsp%3Bor%20check%20the%20individual%20user)%20%0A%0A%26gt%3B%20Get-MsolUser%20-UserPrincipalName%26nbsp%3Bjohn%40contoso.com%26nbsp%3B%7C%20format-list%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20should%20see%20what%20is%20stored%20in%20Azure%20AD%20under%20a%20specific%20user%26nbsp%3Bor%20group%20alias%2Fname.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3E%23OPTION%202%20-%20Check%26nbsp%3Bthe%20minimum%20connectivity%20requirement%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECheck%20connectivity%20to%20AAD%20endpoint%20for%20Password%20and%20Integrated%20authentication%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%26gt%3B%20tnc%26nbsp%3Blogin.windows.net%26nbsp%3B%26nbsp%3B-port%20443%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECheck%20connectivity%20to%20AAD%20endpoint%20for%20Universal%20with%20MFA%20authentication%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%26gt%3B%20tnc%26nbsp%3Blogin.microsoftonline.com%20-port%20443%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENote%20that%20additional%20endpoints%20might%20be%20required%2C%20depending%20on%20AAD%20and%20on-premises%20AD%20setup.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ECapturing%20and%20debugging%20network%20or%20Fiddler%20traces%20is%20what%20usually%20helps%20in%20those%20situations.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdditional%20points%20to%20check%20-%20Make%20sure%20the%20firewall%20configuration%20is%20correctly%20set%20up%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ECheck%20your%20firewall%20settings%20and%20make%20sure%20it%20allows%20communication%20with%20the%20above%20AAD%20endpoints%3A%3CFONT%20color%3D%22%230000FF%22%3E%20login.windows.net%3C%2FFONT%3E%20and%20%3CFONT%20color%3D%22%230000FF%22%3Elogin.microsoftonline.com%3C%2FFONT%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEnsure%20the%20AAD%20%3CA%20title%3D%22required%20ports%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-ports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Erequired%20ports%3C%2FA%3E%20are%20not%20blocked%20by%20the%20firewall.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3CSPAN%3E%3A%20The%20above%20error%20is%20mostly%20triggered%20when%20using%20%3CA%20title%3D%22SSMS%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fssms%2Fdownload-sql-server-management-studio-ssms%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESSMS%3C%2FA%3E.%20%3CA%20title%3D%22Azure%20Data%20Studio%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fazure-data-studio%2Fdownload-azure-data-studio%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Data%20Studio%3C%2FA%3E%20doesn%E2%80%99t%20have%20this%20issue%20because%20it%20has%20a%20custom%20MFA%20implementation%20that%20doesn't%20use%20an%20old%20embedded%20IE%20browser.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2278773%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%26nbsp%3BError%20when%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Econnecting%20with%20AAD%20(Password%2FIntegrated%2FMFA)%20from%20SSMS%26nbsp%3B%3A%20%22Revocation%20of%20the%20SSL%20certificate%20failed%22.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Apr 21 2021 11:20 PM
Updated by: