Login is known to fail when both of the following conditions are true:

• The Cloud Foundry environment does not have internet access.
• The load balancer certificates have been configured to validate over the internet.

In an environments without an internet connection, the PASW Smoke Test Errand will fail at login while awaiting certificate validation via the internet.

Online Certificate Status Protocol (OCSP) is a protocol for verifying the validity of an x509 certificate.

On Windows, OCSP validates an x509 certificate by contacting one of two validation authorities:

• The certificate's designated OCSP "responder".
• A Microsoft certificate validation server. If a certificate lacks a designated OCSP responder, Windows verifies the certificate by contacting a Microsoft server over the public internet.  

If certificate validation requires the public internet and the internet is not available, login will timeout.

To work around this, the x509 certificate must be re-configured to validate against the reachable local network.

There are two valid certificate configurations for Windows environments without an internet connection:

• Configure the certificate to use an OCSP responder that is reachable from the local network.
• Configure the certificate to use a Certificate Revocation List (CRL) that is reachable from the local network.