question

KedarTamboli-6326 avatar image
0 Votes"
KedarTamboli-6326 asked KedarTamboli-6326 commented

CRL Check Issue for IBCM Client Systems

Hello All,

We have observed that systems which try to connect to IBCM MECM Server over Internet are not able to connect and throwing the below error in the MECM client logs ccmmessaging.log:

ERROR_WINHTTP_SECURE_FAILURE

While we troubleshooting the error code ERROR_WINHTTP_SECURE_FAILURE, we have found that this is typically occurred when the MECM Client IBCM Certificate is fails to connect to CDP to CRL checks. In our environment, we have only LDAP as CDP and HTTP URL based CDP is absent)

We need more information on:

  1. How to manage / allow CRL Checks for Internet Clients (which are not connecting corporate network by LAN / WiFi / VPN etc., however connecting from Internet) Does publishing HTTP URL based CDP is only option available and is it secure? Can we have both LDAP and HTTP URL CDP for CRL check? (My security team is afraid of allowing HTTP traffic from Public network)

  2. I understood that we can disable CRL Check on SCCM Server properties for site system and install SCCM Client with /NoCRLCheck properties. However we are using Client Push Installation method to install MECM Client. How we can provide /NoCRLCheck switch using Client Push Installation method OR does Client installs automatically with CRL check bypass when this option is unchecked. We also need to understand - will this CRL check bypass intact when we upgrade the MECM Client upgrade whenever we upgrade MECM site.

  • have referred the below blogs so far:*

https://social.technet.microsoft.com/Forums/en-US/0f7828e1-f888-4565-b302-300cb9988841/client-unable-to-communicate-with-mp-server-winhttpcallbackstatusflagcertrevfailed-is-set

https://social.technet.microsoft.com/wiki/contents/articles/485.how-to-publish-the-crl-on-a-separate-web-server.aspx

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/plan-for-certificates#pki-certificate-revocation

Please help.

Thanks and regards,
Kedar





mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HanyunZhu-MSFT avatar image
0 Votes"
HanyunZhu-MSFT answered KedarTamboli-6326 commented

@KedarTamboli-6326

Thanks for posting in Microsoft Q&A forum.

  1. Yes, it is the only option to use CDP as far as I know.
    The second article is a good reference for you to solve the problem: it configures a separate Web server in DMZ and make it to be a new CDP, then builds a one-way trust between CDP and CA server in the intranet and uses SMB traffic for the connection.

  2. If you uncheck the option "Clients check the certificate revocation list (CRL) for site system", the clients will install automatically with CRL check bypass.
    And the same is true for client upgrades.

Hope the information above can help you.


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks HanyunZhu-MSFT for the clarification!

One follow-up question to each one:

  1. If we increase the CRL validity check period to 30 days from default one. Will it helpful for IBCM systems to be Active in Console, assuming system will connect to VPN at least once in a month during Work From Home scenario.

  2. How we can confirm from Client side that CRL check is bypassed on MECM Client? Is there any registry or any log entry with which we can confirm on it?

Thanks and regards,
Kedar



0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered KedarTamboli-6326 commented

Keep in mind that adding a CDP in and of itself has no impact as the CRLs are hard coded in the certs so you'd have to also reissue all of your certs.

Yes, increasing the CRL validity period could help but that weakens the security posture of the PKI and relying on a VPN defeats the purpose of using IBCM.

Given the PKI was configured only using an LDAP CDP, I would question the overall stability and configuration of the PKI and would not personally recommend using it.

As for client-side configuration, this is stored in WMI and can be viewed using PolicySpy.

Is there a reason you don't implment a CMG and use ConfigMgr issued tokens instead?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Jason for your inputs.

Yes! we are also working on CMG enablement approach too.

Thanks and regards,
Kedar

0 Votes 0 ·