SSTP Windows VPN Client Error: The revocation function was unable to check revocation

If you are deploying SSTP VPN for Windows clients and get the error: “The revocation function was unable to check revocation because the revocation server was offline.”, you are most likely using your own internal PKI and the certificate used for SSTP does not have a Certificate Revocation List (CRL) accessible from the outside, so the client machine is failing checking whether or not the certificate has been revoked from the CA. If you simply want to bypass this, you can edit the registry on the client:

Disable CRL Checking on VPN Client

  1. Start Registry Editor (Regedit.exe)
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Sstpsvc > Parameters
  3. On the Edit menu > New > DWORD (32-bit) Value > and then add the following registry value:
    Value Name: NoCertRevocationCheck
    Value Data: 1

In the following video I setup SSTP VPN almost from scratch in about 10 minutes. I did run into a snag while Windows complained about a CN (common name) mismatch while it was actually a Subject Alternative Name DNS mismatch, not CN. I inadvertently proved that SSTP relies on the SAN name in the certificate. After 41 years of being in business they still don’t get their error messages right.

If you’re wondering why I’m specifying port 444 instead of leaving the port blank or entering 443, I’m performing port translation (PAT) on the firewall since I’m already using https for something else.

sysadminshowto.com for the NoCertRevocationCheck reg string

Disqus Comments Loading...
All Rights ReservedRegular Version