Interesting stuff, I'm assuming you've read pages like this -> Certificate Autoenrollment in Windows Server 2003



I'm *guessing* (no experience) the CAs need to be online and contactable for things like CRL (Cert Revocation List) checking and simply updating your installed certs? Try disabling Certificate Revocation List (CRL) checking and see if that stops it...Turn CRL checking on or off

^ i m reading the above stuff ... meanwhile can u tell me what were those WPAD emtries in trace ... are those the Auto config proxy settings that the IE client is trying to fetch ... >

Looked at the capture/trace file and searched the Net, yes those WPAD must be auto proxy discovery requests to your saggu.com domain... maybe you should either disable that option in your VMware Windows installation or configure DHCP so the VM can access your DHCP server or create a proxy DNS entry wpad.saggu.com like some of the search results seem to indicate:



Thomas Shinder Blog Blog Archive WPAD Autodiscovery and Qualifiying Unqualfied Names



We know IE! : WPAD detection in Internet Explorer

Originally Posted by vishalrao

Interesting stuff, I'm assuming you've read pages like this -> Certificate Autoenrollment in Windows Server 2003



I'm *guessing* (no experience) the CAs need to be online and contactable for things like CRL (Cert Revocation List) checking and simply updating your installed certs? Try disabling Certificate Revocation List (CRL) checking and see if that stops it...Turn CRL checking on or off

Shukria for the URL,s provided .... herez the fetched info







Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment. If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline.



Now how to do the above marked in Bold chars ...





Following process helped to identify the kaput ...



Autoenrollment Failures



Autoenrollment will warn the user with a warning dialog box when an autoenrollment failure occurs. This feature is only enabled when user interaction is required on the certificate template.



To enable the warning feature for an autoenrollment failure



1. Open the specified template in the Certificate Templates MMC snap-in.

2. Click the Request Handling tab.

3. Click Prompt the user during enrollment on the Request Handling tab of the certificate template properties.



here is error screenshot ...







Now this means that the Certificate that interCA enrolled to issuingCA had CRL defined on it ... with the time when to check for an updation of the CRL ... new clients who try to autoenroll check CRL list of entire tree ... is this same appliciable for DeltaCRL ... now how to get the clients not to check CRL CDP ... via GPO,s ... ?

Yes Delta CRL should be affected/fixed the same way. Hmmm, not sure here, especially about GPO settings, I just googled and got these links:



Certificate Revocation and Status Checking

Troubleshooting Certificate Status and Revocation

Turn CRL checking on or off



See section D of first link... also did the "Turning CRL on or off" link also posted earlier not help?



In IE advanced settings tab there is an option to turn off CRL checking not sure if it works only for IE or for the entire OS...



edit: worst case you can generate new certs with the CDP removed

Originally Posted by vishalrao

Yes Delta CRL should be affected/fixed the same way. Hmmm, not sure here, especially about GPO settings, I just googled and got these links:

edit: worst case you can generate new certs with the CDP removed

Well removing CDP won't do any good as some certs purposes won't work, what proper configuration required is highlighted here

A Microsoft PKI Quick Guide – Part 3: Installation

[Off topic]

Interesting to see this thread. Dunno how i missed this when it started last year. As Vishalsir would know I am also getting my feet wet in identity mgmt, and federation in particular. Never had a chance to work with Certserver 2K3 but have been using Cert Server Role in Win2K8.

[/Off topic]