Zachary Loeber

The personal website of Zachary Loeber.

OCS 2007 R2: CRL Issue Causing Address Book Download Error

I ran into this issue recently. End users experienced a red splat in communicator exhibiting that there was an issue syncing the corporate address book. I found this excellent article explaining how an invalid Certificate Revocation List error may be causing this issue. My issue was slightly similar in nature but with some caveats.

Firstly I had no issues getting to the CRL that was published. You can get the published CRL distribution points for the OCS pool by going to https://yourpool.contoso.internal/Abs/Ext/Files/Invalid_AD_Phone_Numbers.txt in IE, clicking on the security lock next to the url in the browser, and selecting “view certificate”. From here in the details tab select “CRL Distribution Points” and copy the data into notepad for future use.

In my case I had two URLs:


If I went directly to the http URL I was able to download the crl without issues. I was not certain how to test the ldap URL but a quick search gave me what I needed to do so:

certutil -URL ldap:///CN=Contoso%20US%20IssuingCA%201,CN=CONTOSOCA1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=internal?certificateRevocationList?base?objectClass=cRLDistributionPoint

When the interface comes up select the Retrieve button to grab the CRLs (from CDP). You should get a list that comes up of the Base CRL and some deltas. In my case though the HTTP Url showed as “Failed”. As I knew that the URL did work properly from a manual check I was a bit perplexed as to why this was showing as failed.

Well what it ended up being was that the original site for which the CRL HTTP URL was published was migrated from an older IIS5 server to IIS7.5 and IIS 7.5 doesn’t respond well to the “+” character in URLs apparently. The resolution was to convince IIS7.5 that pluses are spaces (alternatively don’t use the + character in your published CRL URL or filenames).

After this was resolved I tested communicator after setting the GAL download initial delay to zero with a registry hack.

For 32 bit OSes:

Windows Registry Editor Version 5.00


For 64 bit OSes:

Windows Registry Editor Version 5.00


When I restarted Communicator the red splat went away for a few hours but eventually came back. After resetting the front end OCS servers it went away permanently.




comments powered by Disqus