I want to share with you my personal experience in troubleshooting an interesting problem where Exchange 2013 management interface shows the status of a certificate that I had imported as (Revocation Status Failed).
So why this is happening? When Exchange 2013 tries to enumerate certificates on the computer store for you in the Exchange Admin Center, it will try to check the revocation status for each certificate to make sure the certificate is Valid. To do that, it will try to download the CRL (Certificate Revocation List) file from the internet by looking at the certificate (CRL Distribution Points) attribute of that certificate.
This CRL file download is happening in the background when the server is restarted and using the SYSTEM account. So the SYSTEM account is trying to download something from the internet in the background, and for sure it will use the proxy settings in the IE that is configured for SYSTEM account, which is auto detect proxy settings.
Since the server is not configured to use DHCP, then the auto discover process will go to DNS and search for WPAD.dnssuffex.com , for example (wpad.contoso.com), and since I have such record in my DNS pointing to my proxy, then the SYSTEM account is trying to connect to my proxy, perhaps authenticate and then tries to download the CRL file.
This means also that each time the SYSTEM account in the Exchange 2013 needs to connect to internet, it will do that via my proxy which is something I do not like. I would rather like to have a direct connection from Exchange 2013 to the internet, especially if we are talking about hybrid configuration and Office 365.
How to solve this issue?
I started to think, if i could log on to the computer using SYSTEM account, open the IE and remove the Auto-detect proxy setting, then the problem would be solved and i will have a direct internet connectivity that will eliminate any complexity or authentication requirements on my proxy.
So i went to one of my favorite sites [Windows SysInternals] , and i have downloaded the PsExec tool, and copied it to the C:\ drive of my Exchange server. This tool has the option to initiate an executable remotely or locally using local system account.
The idea is that I want to run CMD using SYSTEM account interactively and then open IE from there. Once IE is opened in front of me using SYSTEM account, i can then remove the proxy auto-detect chec kbox from there. To do that, I logged on as a local administrator to one of my Exchange 2013 where i have PsExec copied on the C drive, and then I run:
psexec -i -d -s cmd
This will open a new CMD window for me. From that window, I can type WhoAmI and I can see that the CMD window is running under the SYSTEM account.
Now, I will open IE using SYSTEM context.
and from there I will remove the auto-detect proxy settings, so that SYSTEM will not use proxy when connecting to the internet to fetch the CRL of my certificate.