Re: failing to retrive CRL from certificate server using new LDAP

Hello S.Pidgorny

Once again thank you for your suggestion to my question.

we have 4 DC
2 running windows 2003
2 running windows 2000
Paul is the Forest Root DC

Our CRL expire today. I tested again by specify the IP address of "windows 2003 FSMO" and "windows 2003 replicate DC"
under our netscreen VPN server > certificate > LDAP server setting. it
failing to retrive a new CRL from the certificate sever using both 2003 LDAP

we have another window 2000 replicate DC Server it is call "Spoon. the ip
address of spoon is, I specify the ip address of on
the certificate setting > LDAP on our netscreen VPN/ Firewall. the automatic
CRL retrive works.

after this test I suspect there may be some default security setting may
have disallow Netscreen to communicate with our windows 2003. do you know or
is there any settting i need to be aware of ?

Thank you


"S. Pidgorny <MVP>" wrote:

I'm not familiar with Netscreen gear ann LDAP client of that but here's what
I'd do:

1. Make CA paublish new CRL into AD. If it's offline, bring it online and do
2. Using any LDAP client, check if CRL is in place on both new and old
3. Capture traffic between Netscreen and LDAP servers to see the requests
and responses. Make sure you disable LDAP encryption.

That will allow to pinpoint the issue.

Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Mr555" <Mr555@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Hello S. Pidgorny

I agreed with your comment, I throught I can specify any DC.

I have tried your suggestions previously it won't work. the CRL will
automaticlly updates only if I put under LDAP Server: settings

So you don't think there are any settings that may bind to our old DC
server ? i need to specify on our new 2003DC

This is how I specify on our VPN netscreen 50 under certificate optios >

CRL Settings

URL Address:

LDAP Server:

Refresh Frequency: Daily

"S. Pidgorny <MVP>" wrote:

You should be able to use any domain controller and point the LDAP url
accordingly, like:


Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Mr555" <Mr555@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

Thank you so much for your input to my questions. I am new to
server, throught I just enabled the cetificate services will be OK. At
moment our VPN is operational. the only problem (serious problem) we
having is that it will only retrive new CRL from the certificate
if I
specific the old LDAP server IP address which is " corp
windows 2000" we are going to demote corp server soon, I got the
some configuration is been done on corp server., possible I have to
on Paul Server windows 2003. I am not sure what it is . so
hopefully you will be able to help me with this.
we are using netscreen 50 as our VPN server. under certificate options
our netscreen VPN server, a place where you have to specific the URL
under the netscreen documentstions it saids I must copy it from the
CRL locations "
to that location, then I have specific the Ldap ip address
work around

Thank you


"S. Pidgorny <MVP>" wrote:

Which VPN server do you use and how do you configure it for CRL lookup
What CDPs are defined in the VPN client certificate properties?
Not less important - what CDPs are defined in the VPN server

Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Mr555" <Mr555@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
3 months ago we migrated to windows 2003 Server.

We have moved the entire FSMO role from our old windows 2000 server
to our new windows 2003 Server "Paul" Paul is now the forest root of
The ip address of Paul is

Few weeks ago our windows 2000 certificate server "Spoon" die, we
rebuild the certificate server to windows 2003. The new certificate
now called "Mugen" and is configured as a stand-alone root CA member
The purpose of this certificate server is to authenticate VPN
our network and is operate together with our netscreen VPN /

15 days ago, our VPN / firewall failing to retrieve CRL from
server. Therefore VPN connections stop working.

Under extensive investigation, I have discovered we can only make
VPN/firewll to automatically obtain CRL from the certificate server
"Mugen" ,
if we specific the old LDAP server IP address " corp." which is,

if I enter the ip address of Paul to the VPN/ firewall
certificate settings, the automatic CRL retrieve will fail.

I have checked with the firewall support team. They said netscreen
support windows 2003 Server. They suspect I have not configured our
certificate server correctly to work under "Paul" LDAP Server.


Are there any configuration or security policy I need to configure
communication between LDAP "Paul" server and certificate server "

I need to specific "Paul" as the LDAP server on the VPN setup
Server, please help

Thank you



Relevant Pages

  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
  • Cannot sync Windows mobile with sbs2003 server
    ... Windows Mobile OS to the SBS2003 server at work so that he can read e-mails. ... What certificate do Microsoft recommend here, and where can this be bought? ...
  • SecurityFocus Microsoft Newsletter #154
    ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
  • Re: Need help configuring Wireless Connection profile
    ... Now life is good in the Windows wireless world. ... now have a secure wireless setup within my small business server environment. ... "point" the info of the Radius authentication to your current Radius server. ... STEP #1 Install Certificate Services ...