Clients receive a "500 Server" error message if a Web server requires a Certificate Revocation List in ISA Server 2004

Article translations Article translations
Article ID: 891510 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

If you use Microsoft Internet Security and Acceleration (ISA) Server 2004 to publish a secure sockets layer (SSL) Web site of a Web server, clients may receive the following error message:
Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)

CAUSE

This problem occurs if the following conditions are true:
  • Certificate Revocation List (CRL) checks are enabled in ISA Server 2004. For additional information about how to enable CRL checks in ISA Server 2004, see the "More Information" section later in this article.
  • SSL Client Certificate authentication is enabled on the Web Publishing Rule. For additional information about how to enable SSL Client certificate authentication in ISA Server 2004, see the "More Information" section later in this article.
  • The root certificate where the SSL Server Certificate on the ISA Server 2004 Web Listeners is derived from has no CRL distribution points. For additional information about how to verify that the root certificate has no CRL distribution points, see the "More Information" section later in this article.

RESOLUTION

Service pack information

To resolve this problem, obtain and install the latest service pack for Internet Security and Acceleration Server 2004. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
891024 How to obtain the latest ISA Server 2004 service pack

WORKAROUND

To work around this problem, manually download the CRL, and then install it to the local computer certificate store.

Note Because the CRL is valid only for a limited time, you must periodically retrieve a new CRL.

To install a CRL to the local computer certificate store, follow these steps:
  1. Log on to the computer as a member of the local administrators group.
  2. Open the Certificates snap-in for the computer account. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
    3. In the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears.
    4. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
    5. Click Computer account, and then click Next.
    6. Click Local computer, and then click Finish.
    7. Click Close, and then click OK.
  3. Expand Certificates, right-click Intermediate Certification Authorities, click All Tasks, and then click Import.
  4. Follow instructions in the wizard to complete the installation.

MORE INFORMATION

How to verify that the root certificate has no CRL distribution points

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. Click Add, click Certificates, click Add, click Computer account, click Next, click Finish, click Close, and then click OK.
  4. Expand Certificates, click Trusted Root Certification Authorities, and then click Certificates.
  5. Double-click the root certificate of your certificate chain where the ISA Server 2004 SSL Server certificate derives from.
  6. In the Details tab, verify that a CRL distribution points field not available.

How to configure CRL checks in ISA Server 2004

  1. To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand your ISA Server, expand Configuration, and then click General.
  3. In the middle pane, click Specify Certificate Revocation.
  4. Click to select the Verify that incoming client certificates are not revoked check box, and then click OK.

How to enable Client Certificate authentication on ISA Server 2004

  1. To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand your ISA Server, and then click Firewall Policy.
  3. In the middle pane, right-click the rule that you want to configure, and then click Properties.
  4. In the Listener tab, click Properties.
  5. In the Preferences tab, and then click to select the Enable SSL check box.
  6. Click OK two times.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 891510 - Last Review: March 2, 2005 - Revision: 2.2
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
Keywords: 
kbfix kbbug KB891510

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com