返回
-
标题
Error connecting with certificate user via Powershell 'connect-safeguard': "400; Bad Request -- 0: Access denied" -
说明
In this example a certificate has been issued with a CRL Distribution Point (CDP) extension pointing to an LDAP end point.Using the built-in certificate provider of Safeguard, Safeguard has no way to connect to this LDAP end point, as it does not allow anonymous connections.
-
原因
This error typically indicates that Safeguard cannot reach the revocation points (CRL & OSCP) set on the certificates. -
解决办法
In this example a certificate has been issued with a CRL Distribution Point (CDP) extension pointing to an LDAP end point.Using the built-in certificate provider of Safeguard, Safeguard has no way to connect to this LDAP end point, as it does not allow anonymous connections.
Review using one of the below options as a solution:
- Modify the Certificate Services server so as to not include any CDP extension.
- Configure OCSP and only include a CDP to the HTTP location.
- Instead of using the built-in certificate provider of Safeguard, configure an Active Directory Identity and Authentication Provider and add users from Active Directory and require them to authenticate with a certificate. When using the Active Directory provider and requiring certificate authentication, the CDP can point to either an LDAP end point or HTTP OCSP end point. Safeguard has special code to handle this scenario and because the Active Directory Identity and Authentication Provider has service account credentials, Safeguard can use those to access the LDAP end point, if necessary
- Modify the Certificate Services server so as to not include any CDP extension.
-
附件
