To CRL or not to CRL. That is the question.

Article
05/22/2009

I recently got a call from a customer having problems opening content from the internet using the Passport Trust option of RMS. Looking at the DebugView Logs RMS was returning an error code of 8004CF3B. So I look up the error in my handy-dandy technet:

https://msdn.microsoft.com/en-us/library/bb204613(VS.85).aspx

E_DRM_NO_CONNECT. Hmmmm...

So I had him try to access the licensing pipeline URL from the machine, and...it connects no problem. <<There's something on the wing....SOME...THING!!!>>

Certificate looks good, but it is a... internal CA cert.... Hmmmm...

Let's disable CRL in I.E.s settings (Tools>Internet Options>Advanced>Security | Uncheck both certificate revocation validation options).

Wallah..it works. So, morale of the story. Vista doesn't like it when you use an internal CA certificate, externally, when you have these options checked, and you are trying to use RMS. Use a Verisign or GoDaddy cert instead. XP doesn't seem to be bothered.

Whodathunkit?

-Jason

UPDATE: A buddy of mine, Barclay, pointed out that the other option is to expose your CRL Distribution point externally. Duh!!

To CRL or not to CRL. That is the question.

Additional resources