Share via


Configure Strong Certificate Revocation Checking for IPsec Authentication

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

By default, the DirectAccess server uses weak certificate revocation list (CRL) checking when performing certificate-based Internet Protocol security (IPsec) peer authentication with DirectAccess clients. For weak CRL checking, certificate revocation checking fails only if the validating computer confirms that the certificate has been revoked in the CRL.

This procedure describes how to enable strong CRL checking, in which certificate revocation checking fails if the validating computer confirms that the certificate has been revoked or for any error encountered during certificate revocation checking, including the inability to access the CRL distribution point.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure strong certificate revocation checking for IPsec authentication

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the following commands:

    set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}”

    set global ipsec strongcrlcheck 2

    exit

  4. To update the DirectAccess server with this Group Policy change immediately, type the gpupdate /target:computer command.

Note

If you enable strong CRL checking and the DirectAccess server cannot reach the CRL distribution point, certificate-based IPsec authentication for all DirectAccess connections will fail.
If you are using Network Access Protection (NAP) with DirectAccess and you enable strong CRL checking, certificate-based IPsec authentication for all DirectAccess connections will fail. Health certificates do not contain CRL distribution points because their lifetime is on the order of hours, instead of years for computer certificates.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.