Collection Rule for event with source OnlineResponderRevocationProvider and ID 16 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.OCSPEvents.RevocationProvider.16
  • Description:  The Online Responder service could not access a certificate revocation list.
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Causes
This rule does not contain any causes.
Resolutions

Enable access to current certificate revocation lists

To correct this problem:

  • On the certification authority (CA), check for certificate revocation list (CRL) publication errors.

  • If there was a problem with the last publication, republish the latest base and delta CRLs.

  • Confirm that the URLs configured for the revocation configuration are valid.

  • Refresh the revocation configuration information.

  • If the error persists, enable CrytpoAPI 2.0 Diagnostics for more information.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Check for CRL publishing errors on the CA

To check for CRL publishing errors on the CA:

  • On the CA, click Start, point to Administrative Tools, and click Event Viewer.

  • Check for additional error messages or warnings related to CRL publishing. For more information, see http://go.microsoft.com/fwlink/?LinkId=102985.

  • Resolve any problems identified and republish both the base and delta CRLs.

Republish base and delta CRLs

To republish base and delta CRLs:

  • Open a command prompt window on the CA.

  • Type certutil -crl and press ENTER.

  • Confirm that no further error messages are logged.

Confirm that the URLs configured for base and delta CRL distribution points are valid

To confirm that the URLs configured for base and delta CRL distribution points are valid:

  • On the computer hosting the Online Responder, click Start, point to Administrative Tools, and click Online Responder.

  • Select the revocation configuration node. 

  • In the details pane, right-click the revocation configuration specified in the error message description, and click Edit Properties. 

  • Click the Revocation Provider tab, and then click Provider. 

  • Note the URLs configured in Base CRL URLs and Delta CRL URLs. 

  • Confirm that these URLs are accessible by the computer running the Online Responder and that they contain valid CRL files published by the CA.

You can also use the Certification Authority snap-in to check the URLs to which the CA will publish base and delta CRLs.   

Confirm the relation of CRL distribution points to a CA

To confirm the relation of CRL distribution points to a CA:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Click the Extensions tab, and note the URLs entered for the CRL Distribution Point (CDP) extension. Note the URLs for which Publish CRLs to this location and Publish Delta CRLs to this location are selected. 

  • Confirm that these are the same network locations configured as base and delta CRLs in the Online Responder snap-in.

  • On the computer to which the base CRL is published, examine the Freshest CRL extension for the base CRL. Confirm that this identifies a location where the delta CRL can be found.

  • Republish the current CRL, if necessary, by opening a command prompt window on the CA and running the following command: certutil -crl.

  • Then, confirm that the Online Responder can access the CRL. To do this, open the Online Responder snap-in, right-click Array configuration, and click Refresh Revocation Data.

Refresh revocation information

You can update revocation information by retrieving an updated CRL. An updated CRL can be retrieved by:

  • Using the Services snap-in console to restart the Online Responder service.

  • Using the Online Responder snap-in to refresh revocation data and confirming that the error does not appear.

To update revocation information for an Online Responder by using the Services snap-in console:

  • On the Online Responder, click Start, point to Administrative Tools, and click Services.

  • Click Online Responder Services, and click Restart.

To update revocation information for an Online Responder by using the Online Responder snap-in:

  • On the computer hosting the Online Responder, click Start, point to Administrative Tools, and click Online Responder.

  • Right-click Array Configuration, and click Refresh Revocation Data.

  • Confirm that no additional errors are reported.

  • Click the Online Responder node, and confirm that the revocation configuration is listed as Working.

  • Under Array Configuration, select the Online Responder computer that logged the error, and then click the revocation configuration named in the error.

  • Under the details pane, view the Revocation Configuration Status pane for the status of the signing certificate and the revocation provider. 

  • Confirm that no additional errors are reported.

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

  • On the Online Responder, Start, point to Administrative Tools, and click Event Viewer.

  • In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.

  • Right-click Operational, and click Enable Log.

  • Click Start, point to Administrative Tools, and click Services.

  • Right-click Active Directory Certificate Services, and click Restart.

Depending on the results from the procedures above and enabling CryptoAPI 2.0 Diagnostics, ensure that the CA publishes CRLs correctly and that they are available to the Online Responder service. 

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED