ADFS behind Websense or Bluecoat causes CRL check to fail

Scenario: You configure a relying party trust in ADFS for SSO. ADFS event logs show this error: “The encryption certificate of the relying part trust … is not valid. It might indicate that the certificate has been revoked, expired, or that the certificate chain is not trusted.”


After verifying that the certificate chain is valid the next thing to check is whether the ADFS server can make an outbound port 80 call to the HTTP path defined in the relying part trust’s SSL certificate for the Certificate Revocation List (CRL).

The easiest thing to do is browse to the internet from the ADFS server to make sure outbound port 80 is open.

But if the ADFS server sits behind a proxy server, then the winhttp service will not automatically inherit the proxy server settings from Internet Explorer.

You can configure the winhttp service to use the proxy server. Run this on the ADFS server in an elevated CMD session:

netsh winhttp import proxy source=ie

The above article also says you can disable ADFS from performing a CRL check, but this should only be used for troubleshooting, because CRL checking is a good idea for security (what if the certificate was compromised?).
Set-AdfsClaimsProviderTrust -TargetName “<IDP name>” -SigningCertificateRevocationCheck None