Re: Certificate Revocation List (CRL) problem w/ Outlook XP

From: Microsoft (k.tolias@asyk.ase.gr)
Date: 11/29/02 

From: "Microsoft" <k.tolias@asyk.ase.gr>
Date: Fri, 29 Nov 2002 09:38:05 +0200

Sorry to interrupt but I believe that there is no way to check the status of
the Signing Certificate using Outlook Clients.

That's because Outlook 2000 never check for the CRL, Just always says that
the Certificate is not Revoked. Try to Revoke your Certificate and you will
see what I mean!!!

Outlook 02 client has a different approach. When you ask for the validity of
the Signing Certificate, the system fetches the Crl files to your Local
"Temporary Internet Files". Unfortunately even the System has the
Certificate Revocation List cannot determine whether the Signing Certificate
is Revoked or not!!!

This is a bug I have reported to Microsoft since 1st of October.

According to Microsoft there is a Restriction in the Certificate Checking
Procedure.

If a Certificate found in the Certification Path has no CDP (Certificate
Revocation List Distribution Point) then Outlook 02 replies with the warning
that you mentioned.

So once again Microsoft ignores RFC's. That's not a new one!!! The answer
that they gave me after two months is that they will try to fix the problem,
or... not (Ahhh)

Now you might understand why are keep getting this message. Thawte Root
Certificate has no CDP, as it supposed to be for everyone else except
Microsoft : )

You can try 2 workarounds.

1. Install Windows XP. They above described procedure is totally changed, so
it works fine.

2. Find the crl file in your Local "Temporary Internet Files" and install it
manually. It worked with me. If you can't find it downloaded from the CDP.

 Keep in touch. This is a very serious issue, so any feedback appreciated!

Thanks,

 Kyriakos Tolias

"Jerry Benton" <jcbenton@atsugi.navy.mil> wrote in message
news:189f201c295a0$d79caaf0$8af82ecf@TK2MSFTNGXA03...

> David hit it right on the head...
>
> Outlook 2002 attempts to bounce the certificate off a CRL
> and Outlook 2000 does not. (Unless you turn it on.) You
> can turn it off via a registry hack if you like. I know
> Outlook 02 will hang until it times out, which is a real
> pain waiting for around 2 minutes to view a signed email.
> You can check and see what its doing by running "netstat"
> in a CMD prompt. Also, instead of disabling it, you can
> reduce the time out to just a few seconds. (I think :) )
>
> Also.... Outlook is making a call through a port (LDAP 389
> and LDAPS 636) and if you have that port blocked by a
> firewall... same deal.... it hangs until it times out.
>
> Email me if you want the hack to turn it off. But make
> changes to your own registry at your own risk :)
>
> Jerry
>
>
>
> >-----Original Message-----
> >I have recently obtained a Thawte Personal Freemail
> >certificate, which I have successfully imported into
> >Internet Explorer 6SP1/Outlook 2002SP2. I have signed
> >messages and sent them. The problem I have encountered (in
> >testing) is that Outlook 2002 (on the receiving end) will
> >not verify the signature because "The Certificate
> >Revocation List ... is unavailable..." The same exact e-
> >mail received in Outlook 2000 verifies the signature
> >without a problem.
> >
> >I've searched the MS knowledge base and found some
> >articles refering to a similar problem. The suggested
> >fixes have been aplied w/ out fixing the problem.
> >
> >Furthermore, I have poured through the thousands of
> >messages in these newsgroups and have found nothing that
> >helps.
> >
> >Surely there is an answer! But does anyone out there know
> >what it is?
> >.
> >

Relevant Pages

  • Re: Outlook RPC over HTTp deosnt work
    ... Go to remote web workplace (or Outlook Web Access), accept the certificate prompt, 'view', and 'install' the certificate - accepting all the defaults. ... > when you try to use RPC over HTTP to connect the Exchange Server. ...
    (microsoft.public.windows.server.sbs)
  • Re: RPC over HTTP
    ... We have already set up Outlook Web Access and purchase a SSL Certificate ... I have used the "outlook.exe /rpcdiag" to see if it uses the HTTP ... firewall through to the exchange server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Infinite series of login prompts for Outlook Anywhere
    ... I went to GoDaddy and bought a single-domain certificate on which ... my SBS server is the only name. ... And now Outlook Anywhere works from ... SBS 2008 Standard, ...
    (microsoft.public.windows.server.sbs)
  • RE: Outlook HTTPS over RPC error - Inconsistent users
    ... If the clients are using Outlook with PRC over HTTP and issue ONLY occurs ... issue which means it might be a client Outlook configuration or workstation ... over HTTPS because there is a problem with the certificate assigned to the ... With RPC over HTTPS no such pop up ...
    (microsoft.public.windows.server.sbs)
  • Re: certificate problem with outlook 2007
    ... certificate but using the certificate that generated by CECIW. ... On the Outlook 2007 client Windows Vista computer, ... Re-configure a Outlook 2007 profile for PRC over HTTP and try again to ... How to Create an Outlook Profile for Users to Use with RPC over HTTP ...
    (microsoft.public.windows.server.sbs)