An unknown error occurred while processing the certificate

This post will discuss an issue that has cropped up a few times when clients try and access an SSL application on a backend server published through Forefront UAG.

The issue:

A client that is trying to access an SSL application on a backend server (e.g. Exchange) that is published through the Forefront UAG portal gets an error, specifically:

“An unknown error occurred while processing the certificate. Contact the site administrator”.

The cause:

This has nothing to do with the UAG certificates themselves but is most likely caused by an invalid certificate on the backend server. By default, Forefront UAG validates both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, users are denied access to that given backend server. This is also the case if the CRL distribution point is unavailable for any reason.

An easy way to identify if this is indeed the case is to open Internet Explorer on the Forefront UAG computer, and then try to access the backend server directly. If you get a certificate error at this stage, you have identified the problem as a certificate issue on the backend server.

The solution:

The best practice is to fix the certificate on the backend server, making sure to use a valid certificate. If you cannot (or don’t want to) fix the certificate for some reason, another option is available: Disable the registry key(s) controlling the validation and/or the CRL checks that Forefront UAG performs.

Note that disabling the validation and/or the CRL check is not recommended (the validation check that Forefront UAG performs is there for a reason after all), but is offered as an alternative workaround to be used at your own discretion.

So, to disable the(se) checks in the Registry Editor:

  1. On the UAG Server, open the Registry Editor (Start –> Run –> Type “regedit” and click OK).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL.
  3. To cancel the validation check, right-click ValidateRwsCert, select Modify, and change the Value data to 0.
  4. To cancel the CRL check, right-click ValidateRwsCertCRL, select Modify, and change the Value data to 0.
  5. Close the Registry Editor
  6. Activate the UAG configuration to make the change permanent (otherwise, a reboot will revert it)
  7. If this is applied to a UAG array, the registry needs to be edited only on the array manager. The activation will push it to the other server/s
  8. Restart the IIS service on the Forefront UAG server. If this is an array, this needs to be done on all members.

Meir Feinberg, Technical Writer, Forefront Edge
David Bahat, SDET, Forefront Edge
Revised on 1 Nob 2011 by Ben Ari, UAG Support

Comments (5)

  1. Anonymous says:

    This was a work around and not an identification of root cause.

    We found a duplicate certificate in the mmc/certificate component that was removed quite some time ago.

    Once we removed the certificate and set the registry keys back, all worked.

  2. Dennis says:

    Nice article but I know my SSl certificate is valid + I performed your recommended registry changes and still have the same error.

  3. naztee says:

    Same here, I've disabled the certificates through registry, but I still get the error. When trying from UAG machine with IE, no certificate error (I've entered the IP with corresponding hostname from certificate to hosts file).

  4. Anonymous says:

    Document Version 1.2 – 11/9/2011 Executive Summary