Symptoms
Single sign-on authentication issues.
Cause
If a Microsoft Windows Domain Controller can not reach the Certificate Revocation List (CRL) of the Awingu appliance, single sign-on authentication will fail.
Resolution
On each of the Microsoft Windows servers taking care of Kerberos authentication (for instance on the domain controllers):
- Open a Windows PowerShell console.
- Execute this command:
certutil -URL "http://<awingu_internal_ip>/crl/<AWINGUDOMAINNAME>.crl"
"http": leave this, the CRL is indeed fetched through HTTP (HTTPS not required).
<awingu_internal_ip> : replace this with the IP of the Awingu appliance.
<AWINGUDOMAINNAME> : should match the Awingu domain name - always in capitals (visible under System Settings > Global > Domains). - In the window that appears, click [Retrieve].
If there is a problem obtaining the CRL, the reason can be found in the Windows Event Viewer under Custom > Administrative Events.
Microsoft Windows Servers should be able to access port 80 on the Awingu appliance. In customer cases, often a firewall is blocking this access.
It's worth noting that Microsoft Windows Server caches CRLs. To clear this cache:
Execute these command on the Kerberos Domain Controllers:
certutil -urlcache * delete
certutil -setreg chain\ChainCacheResyncFiletime @now
net stop certsvc && net start certsvc
Was this article helpful?
Tell us how we can improve it.