AD CS: Web server should allow URI containing the "+" character to enable publishing of delta CRLs
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server® 2008 R2 and Windows Server® 2012 |
Product/Feature |
Active Directory Certificate Services |
Severity |
Warning |
Category |
Configuration |
Issue
The certificate revocation list (CRL) distribution point extension on this certification authority (CA) includes a URI for a remote Web server. If the Web server is running IIS 7.0 with the default configuration, then delta CRL URIs that contain the plus sign (+) will be blocked.
Request filtering in Internet Information Services (IIS) scans the content of incoming requests, which can be blocked or allowed to meet the requirements of an organization's security policy. In IIS 7.0, the default request filtering configuration blocks requests that include the plus sign (+) in the URI. The plus sign (+) is present in the URI of delta CRLs and must be allowed by the Web server.
Impact
Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail.
Certificate validation is critical to a correctly functioning public key infrastructure (PKI). Many applications require revocation status checking during certificate validation. If the URI included in the CRL distribution point extension is blocked by the Web server, then clients may not be able to retrieve the delta CRL and certificate validation may fail.
Resolution
If the Web server that hosts the delta CRL is running IIS 7.0, then ensure that allowDoubleEscaping=True in the applicationHost.config file.
Follow these steps to verify or change the request filtering configuration by using Server Manager.
To configure request filtering
On the Web server, open Server Manager.
Double-click Roles, double-click Web Server (IIS), and then click IIS Manager.
In the console tree, click the virtual directory that hosts the CRL.
In the features view, double-click Request Filtering.
In the actions view, click Edit Feature Settings.
Select the Allow Double Escaping check box.
To use Appcmd.exe or edit the applicationHost.config file directly, follow the steps described in this support article Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED".
Additional references
Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.