If you like to muck around with Azure & Entra Certificate Based Authentication (CBA), you'll be familiar with the importance of a Certificate Revocation List (CRL).

Someday, while trying to login to admin.microsoft.com with a certificate, I experienced this AADSTS220501 Error so I started troubleshooting at it.

What's interesting is that the CRL was online, accessible & downloadable - in other words, the CRL specified within Entra was seemingly operating normally (both on web and internally).

After a few hours of troubleshooting (I started from the very bottom - IP Addresses, DNS, firewalls, NAT, etc.), I ultimately figured my issue was due to an expired CRL (!).

• In case you didn't know, CRLs themselves do expire.

Expired CRL Example.

Expired CRL Example

• Check you CRL's "Next Update" date.
• If <today's date> is more recent than your "Next Update"-date -> Your CRL is past due!
• Authenticating to admin.microsoft.com with your Certificate ain't gonna happen.

FINDING THE ROOT CAUSE.

When searching for the root cause of an issue, you'll inevitably look at "what's changed".

My IIS Web Server (the member server hosting the crl) got recently upgraded, From Windows Server 2012 R2 To Windows Server 2022 (via in-place upgrade).

• All went well except for one detail - my crl was originally (under 2012 R2) configured with its own (custom) dedicated website on IIS.

Example of dedicated crl website.

Example Of Dedicated (Custom) CRL Website

'Though, during the in-place upgrade (From 2012 R2 To 2022), the AD CA Web Enrollment Role got reconfigured using the Microsoft Defaults.

SO:
• A new CRL ended-up getting created under the "Default Web Site" (on IIS).

Example of Default Web Site crl.

Example Of Default (Microsoft) CRL Website

• In summary, you'll end-up with two (different) "CertEnroll" folder locations.

1. The Microsoft Default Folder Location - Path: C:\Windows\System32\certsrv\CertEnroll

2. The Custom dedicated crl website Folder Location - Say (Path): C:\www\crl

As a result:
• Your CA publishes its crl to its usual location - say C:\www\crl
• Your IIS Web Server offers instead the Microsoft Default CRL (From C:\Windows\System32\certsrv\CertEnroll).

Since your CRL is usually offered via http -> The website seemingly kept working as usual (because the IIS web server was reachable anyway, via the "Default Web Site").

• Problem is your published crl website content isn't getting updated by its CA.

So it's just a matter of time before your crl expires !

In other words, whenever trying to login via CBA to admin.microsoft.com -> Azure queries your CRL web service -> Azure check your CRL's Next Update Date -> IF Next Update Date is Expired -> Unsuccessful CBA - Error AADSTS220501 and one way to solve it is as per above.

Further reading.

Microsoft Entra authentication & authorization error codes | Microsoft Learn

Rate this post

Andrea Matesi

Senior Professional Network and Computer Systems Engineer during work hours and father when home.

Andrea strives to deliver outstanding customer service and heaps of love towards his family.

In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format.

Share this:

• LinkedIn

Related