RDP connection to domain server from non-domain client prompts "A revocation check could not be performed"

I've got about 30 Windows 2008 R2 servers as members of a domain, and am attempting to configure the certificates part correctly for remote desktop access to those servers.

The catch is that the clients that need to connect to these servers are not on the domain. The clients are on the same internal network as all the domain computers.

So far, I have done the following:

  1. Created the CA
  2. Configured a certificate template for Remote Desktop Authentication
  3. Configured the Default GPO to enable auto-enrollment and to get the remote desktop servers to enroll a certificate from the RDP cert template
  4. Installed the CA root cert into my local computer trusted cert store on the non-domain client

This seems to work, in that each server has gone through the auto-enrollment process.

The problem is that when I connect with an RDP client, I receive a certificate warning stating:

A revocation check could not be performed for the certificate

Looking at the certificate details, I can see it's the correct certificate for the machine, and it has been signed by the CA root, which I have installed and trusted. The CRL Distribution Points entry on the certificate states:

URL=ldap:///CN=domain-ad-CA,CN=host,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=example,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=domain-ad-CA,CN=ad,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=thomsonreuters,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint)

The root CA cert has no CRL location listed.

At a guess, the client is attempting to contact the LDAP url and failing, but it's not clear why this should be. How do I get the client to perform revocation checks?


Solution 1:

Oh, I know why. This happened to us too, for non-domain joined computers (which would be why I removed the RDP certs).

If an anonymous user can't query your LDAP, or doesn't have permissions to view that particular location, then a non domain-joined computer won't be able to reach that location to get the CRL, hence, will not be able to perform the revocation check. (Assuming of course, that location isn't unreachable for another reason, such as not existing.)