Re: CRL caching and smart card logon
From: S. Pidgorny
Date: 11/29/05
- Next message: S. Pidgorny
: "Re: how to authenticate via IE with a smartcard certificate" - Previous message: fluidly unsure: "Re: Are Java and JavaScript really so malicious for Windows system"
- In reply to: Uljas Käki: "Re: CRL caching and smart card logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Nov 2005 20:23:51 +1100
The DC won't accept outdated CRL and logon will fail by default. The
behaviour can be changed though:
http://support.microsoft.com/?id=887578
-- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "Uljas Käki" <someone@microsoft.com> wrote in message news:dmfppc$dj$1@phys-news4.kolumbus.fi... > Hi, > > thanks for a quick response. By CRL lifetime, do you mean CRL's property > "Next update", when (at latest) the new CRL should be received? In theory, > if CRL point is down when this specific time arrives, would this cause > trouble? Or do DC's check the CRL also before that specific time? In case > it would have been updated before the deadline... > > BR, Uljas > > "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message > news:ue6s5jF9FHA.3804@TK2MSFTNGP14.phx.gbl... >> Hi, >> >> Smartcard logon, when performed offline, does not perform a revocation >> check with a CRL. It uses the cached credential verifier and it will >> work indefinitely, unless the enterprise has a policy to delete or expire >> the cached logons. >> >> Other then this, CRL has its "lifetime" which is configured on CA server >> (e.g. one week). After this date is reached and if you can't access new >> CRL -- you can expect to run into problems. >> >> -- >> Mike >> Microsoft MVP - Windows Security >> >> "Uljas Käki" <someone@microsoft.com> wrote in message >> news:dmfo4t$nae$1@phys-news4.kolumbus.fi... >>> We are implementing smart card logon with third-party certificates. We >>> have Windows 2003 servers, Windows XP workstations and Windows 2003 CA >>> (for domain controller certificates). >>> >>> As far as I have found out, when you log on with third-party >>> certificates, domain controllers check the published CRL, which is >>> published in internet. How about situation, when CRL is not available? >>> For example, the CRL server or WAN link is down for some reason, or the >>> computer where the user is logging on, does not have network connection >>> (the user must have logged on to that computer earlier succesfully, of >>> course). >>> >>> I know that in this kind of situations things work ok, for a while at >>> least. But if CRL server is down, or no domain controller is available >>> (cached credentials) for longer time, when can I start expecting >>> trouble? Theoretically, this situation could be that a person is on a >>> vacation or on a long business trip with his/her laptop, and has no >>> connection to DC or CRL point for, say, two months. Would there be some >>> kind of trouble? >>> >>> Are there some settings which would affect any of these? >>> >>> Thanks, Uljas >>> >> >> > >
- Next message: S. Pidgorny
: "Re: how to authenticate via IE with a smartcard certificate" - Previous message: fluidly unsure: "Re: Are Java and JavaScript really so malicious for Windows system"
- In reply to: Uljas Käki: "Re: CRL caching and smart card logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
