Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Certificate Revocation List bug CMG?

%3CLINGO-SUB%20id%3D%22lingo-sub-2815750%22%20slang%3D%22en-US%22%3ECertificate%20Revocation%20List%20bug%20CMG%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2815750%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20there%20might%20be%20a%20bug%20with%20current%20branch%202107%20SCCM%20client%20and%20would%20like%20to%20bring%20up%20my%20findings.%3C%2FP%3E%3CP%3EWe%20have%20had%20a%20CMG%20running%20just%20fine%20for%20ages%20now%2C%20and%20we%20started%20noticing%20connection%20issues%20to%20the%20CMG%20after%20clients%20had%20upgraded%20to%20v%26nbsp%3B5.00.9058.1018.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20clients%20are%20failing%20to%20connect%20to%20the%20CMG%20because%20they%20are%20trying%20to%20check%20the%20CRL%20for%20the%20SSL%20certs.%20In%20SCCM%20there%20are%20TWO%20places%20where%20CRL%20checking%20is%20specified%2C%20on%20the%20site%20communication%20Security%20tab%2C%20and%20on%20the%20CMG%20properties%20itself.%20What%20is%20happening%20is%20that%20this%20latest%20build%20is%20TOTALLY%20ignoring%20the%20setting%20to%20NOT%20check%20CRL%20when%20connected%20to%20the%20CMG%2C%20and%20packet%20tracing%20shows%20that%20this%20build%20of%20client%20is%20trying%20to%20reach%20our%20internal%20PKI%20CRL%20when%20the%20client%20is%20on%20the%20INTERNET.%20Everything%20was%20fine%20until%20this%20client%20build%2C%20so%20something%20has%20changed.%20I%20can%20see%20in%20the%20CCMMessaging%20log%20the%20client%20attempting%20to%20use%20the%20CRL%20with%20%22Enabled%20SSL%20Revocation%20check%22%20in%20the%20log%2C%20then%20it%20fails%20of%20course%20eventually%20with%20%22WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED%20is%20set%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20disable%20ALL%20CRL%20checking%20in%20the%20main%20site%20communication%20security%20tab%20(when%20I%20put%20the%20client%20on%20VPN%20so%20it%20can%20reach%20the%20servers)%2C%20refresh%20the%20policy%2C%20then%20put%20it%20on%20the%20internet%20again%2C%20it%20fixes%20the%20issue%20and%20does%20not%20try%20and%20use%20the%20internal%20CRL%20for%20the%20CMG.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECan%20someone%20at%20MS%20take%20a%20look%20at%20this%3F%20Before%20we%20upgraded%20to%202107%2C%20the%20clients%20were%20using%20INTERNAL%20CRL%20checking%20no%20problem%20when%20on%20the%20intranet%2C%20but%20when%20outside%20on%20the%20internet%2C%20respected%20the%20CMG%20%22verify%20client%20certificate%20revocation%22%20and%20things%20worked%20fine.%20(crl%20checking%20when%20on%20prem%2C%20no%20crl%20checking%20when%20on%20cmg)%3C%2FP%3E%3CP%3EIt%20has%20taken%20me%20about%201%20week%20to%20troubleshoot%20this%2C%20and%20has%20caused%20us%20all%20sorts%20of%20issues!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2815750%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECM%20current%20branch%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2868641%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Revocation%20List%20bug%20CMG%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2868641%22%20slang%3D%22en-US%22%3ESeems%20to%20have%20same%20issue%20with%20AAD%20joined%20machines%20and%20a%20new%20CMG%20(Virtual%20machine%20scale%20set)%20and%20ConfigMgr%202107.%20Did%20you%20get%20any%20response%20or%20solution%3F%3C%2FLINGO-BODY%3E
New Contributor

I think there might be a bug with current branch 2107 SCCM client and would like to bring up my findings.

We have had a CMG running just fine for ages now, and we started noticing connection issues to the CMG after clients had upgraded to v 5.00.9058.1018.


The clients are failing to connect to the CMG because they are trying to check the CRL for the SSL certs. In SCCM there are TWO places where CRL checking is specified, on the site communication Security tab, and on the CMG properties itself. What is happening is that this latest build is TOTALLY ignoring the setting to NOT check CRL when connected to the CMG, and packet tracing shows that this build of client is trying to reach our internal PKI CRL when the client is on the INTERNET. Everything was fine until this client build, so something has changed. I can see in the CCMMessaging log the client attempting to use the CRL with "Enabled SSL Revocation check" in the log, then it fails of course eventually with "WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set".

 

If we disable ALL CRL checking in the main site communication security tab (when I put the client on VPN so it can reach the servers), refresh the policy, then put it on the internet again, it fixes the issue and does not try and use the internal CRL for the CMG.


Can someone at MS take a look at this? Before we upgraded to 2107, the clients were using INTERNAL CRL checking no problem when on the intranet, but when outside on the internet, respected the CMG "verify client certificate revocation" and things worked fine. (crl checking when on prem, no crl checking when on cmg)

It has taken me about 1 week to troubleshoot this, and has caused us all sorts of issues!

2 Replies
Seems to have same issue with AAD joined machines and a new CMG (Virtual machine scale set) and ConfigMgr 2107. Did you get any response or solution?

@TatsumiMorota 

 

No I am afraid, the solution for us was to disable CRL checking on the site properties, basically for all site servers. This fixed it, and I guess we lose on-prem CRL checking from clients, but when you have no external clients able to connect because of this, you do what you can to make it work!


It is really annoying, as everything was running just fine before v2107.