User receives “the certificate revocation list server could not be reached” message when they click the reset password link at the logon screen, but not when they browse to the reset page when logged in.
User is not connected to the internet at the logon screen.
You can use one of the following three options below to solve this issue:
- Add a new rule to your proxy that allows “domain computers” to reach the CRL servers on the internet. The rule will look similar to the example below:
Source: internal network
Destination: IP address of CRL server
Access Group: “Domain Computers”
- Disable the CRL check on the client.
Note: This will disable CRL checking on all certificates. If you visit a site that had its certificate revoked, this would allow the creation of a secure connection, unless the certificate had expired.
- If you have an internal Certificate Authority system, use an internal certificate, instead of a public certificate.
Note: A public certificate is a good choice if you plan on allowing users to reset their passwords externally.