The client is unable to get configuration even though he can connect through the browser to the ICT webservice.

There are no certificate errors or any other HTTP error, but the RightsWATCH logs have an HTTP error 0 there.

The configuration can be retrieved if you use fiddler to decrypt the https traffic in order to understand what is happening.

This will happen, most of the times, with users running the ICT client in a PC not Domain joined or to users working outside the corporate network - CRL not accessible (e.g.: firewall) or wrongly published. 

This will only happen if the ICT SSL certificate is being generated by the Internal CA and should only happen if you do not have access to your company's internal Certifications Revocation List (Command where certificate_name is the certificate issued for the machine and associated with the IIS bindings: certutil -f -urlfetch -verify certificate_name.cer):