Event ID - 18

Event Id18
SourceMicrosoft-Windows-OnlineResponderRevocationProvider
DescriptionFor configuration %1, the Online Responder revocation provider found a delta CRL that refers to a newer base CRL.
Event InformationAccording to Microsoft :

Cause :

This event is logged when the Online Responder revocation provider found a delta CRL that refers to a newer base CRL.

Resolution :

Ensure that the delta CRL version matches the base CRL version
A delta certificate revocation list (CRL) can only be used with a corresponding base CRL. To ensure that the delta CRL version matches the base CRL vesion:
Check for CRL publishing errors on the certification authority (CA).
Republish base and delta CRLs.
Check and update local CRLs on the Online Responder computer.
Refresh and update revocation information on the Online Responder.
Confirm that the configured CRL distribution points on the CA and Online Responder use the same location.
Update revocation information.
If the problem persists, use CryptoAPI 2.0 Diagnostics to obtain additional information about the problem
To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.
Check for CRL publishing errors on the CA
To check for CRL publishing errors on the CA:
1.On the CA, click Start, point to Administrative Tools, and click Event Viewer.
2.Check for additional errors or warnings related to CRL publishing.
3.Resolve any problems identified, and republish both the base and delta CRLs.
Republish base and delta CRLsTo republish base and delta CRLs:
1.Open a command prompt window on the CA.
2.Type certutil -crl and press ENTER.
3.Confirm that no further errors or events are logged.
Check and update local CRLs on the Online Responder computer
To ensure that current base and delta CRLs are available on the Online Responder:
1.On the computer hosting the Online Responder, click Startmmc, and then press ENTER.
2.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3.On the File menu, click Add/Remove Snap-inCertificates, and then click Add.
4.Click Service account, and click Next.
5.In Select Service, click Online Responder Service, click Finish, and then click OK.
6.Select the Certificate Revocation List folder for either the Intermediate Certification Authorities or Trusted Root Certification Authorities containers, depending on the type of CA that supports the Online Responder service.
7.Check the BaseCRLNumber specified in the delta CRL indicator extension of the delta CRL. This number should reference the version number of a published base CRL.
8.If this number does not match the version number of a published base CRL, republish both the base and delta CRLs by opening a command prompt window on the CA and running the following command: certutil -crl.
9.Retrieve updated CRL data on the Online Responder. To do this, restart the Online Responder service on each Array member or right-click Array configuration in the Online Responder snap-in, and click Refresh Revocation Data.Then confirm that the base and delta CRL version numbers match.
Confirm that the configured CRL distribution points on the CA and Online Responder use the same location
To confirm that the configured CRL distribution points on the CA and Online Responder use the same location:
1.On the Online Responder, click Start, point to Administrative Tools, and click Online Responder.
2.In the console tree, select the revocation configuration node.
3.In the details pane, right-click the revocation configuration specified in the event description, and click Edit Properties.
4.Click the Revocation Provider tab, and click ProviderBase CRLs and Delta CRLs.
5.Confirm that the Online Responder computer can access these locations.
6.Open the Certification Authority snap-in, right-click the name of the CA, and click Properties.
7.On the ExtensionsCRL Distribution Point extension, note the URLs that are listed, and confirm that the URLs on the two computers use the same location.
Update revocation information
You can update revocation information by retrieving an updated CRL. An updated CRL can be retrieved by:
Using the Services snap-in console to restart the Online Responder service
Using the Online Responder snap-in to refresh revocation data and confirming that the error does not appear
To update revocation information for an Online Responder by using the Services snap-in console:
1.On the Online Responder, click Start, point to Administrative Tools, and click Services.
2.Click Online Responder Services, and click Restart.
To update revocation information for an Online Responder by using the Online Responder snap-in:
1.On the computer hosting the Online Responder, click Start, point to Administrative Tools, and click Online Responder.
2.Right-click Array Configuration, and click Refresh Revocation Data.
3.Confirm that no additional errors are reported.
4.Click the Online Responder node, and confirm that the revocation configuration is listed as Working.
5.Under Array Configuration, select the Online Responder computer that logged the error, and then click the revocation configuration named in the error.
6.Under the details pane, view the Revocation Configuration Status pane for the status of the signing certificate and the revocation provider.
7.Confirm that no additional errors are reported
Enable CryptoAPI 2.0 Diagnostics
To enable CryptoAPI 2.0 Diagnostics:
1.On the Online Responder, click Start, point to Administrative Tools, and click Event Viewer.
2.In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
3.Right-click Operational, and click Enable Log.
4.Click Start, point to Administrative Tools, and click Services.
5.Right-click Active Directory Certificate Services, and click Restart.
Depending on the results from the procedures above and enabling CryptoAPI 2.0 Diagnostics, ensure that the CA publishes CRLs correctly and that they are available to the Online Responder service.
Reference LinksEvent ID 18 from Source Microsoft-Windows-OnlineResponderRevocationProvider

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.