Configure Strong Certificate Revocation Checking for IPsec Authentication

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

By default, the DirectAccess server uses weak certificate revocation list (CRL) checking when performing certificate-based Internet Protocol security (IPsec) peer authentication with DirectAccess clients. For weak CRL checking, certificate revocation checking fails only if the validating computer confirms that the certificate has been revoked in the CRL.

This procedure describes how to enable strong CRL checking, in which certificate revocation checking fails if the validating computer confirms that the certificate has been revoked or for any error encountered during certificate revocation checking, including the inability to access the CRL distribution point.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure strong certificate revocation checking for IPsec authentication

1. On a domain controller, start a command prompt as an administrator.

2. From the Command Prompt window, run the netsh –c advfirewall command.

3. From the netsh advfirewall prompt, run the following commands:

   set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}”

   set global ipsec strongcrlcheck 2

   exit

4. To update the DirectAccess server with this Group Policy change immediately, type the gpupdate /target:computer command.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.