Re: Problem with smart card login

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 04/19/05

• Next message: Fred: "CryptoAPI Key Import/Export"
• Previous message: Brian Komar: "Re: Problem with smart card login"
• In reply to: Steven L Umbach: "Re: Problem with smart card login"
• Next in thread: Steven L Umbach: "Re: Problem with smart card login"
• Reply: Steven L Umbach: "Re: Problem with smart card login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 18 Apr 2005 23:47:50 -0500

In article <OI1JEBFRFHA.1236@TK2MSFTNGP14.phx.gbl>, n9rou@nospam-
comcast.net says...
> Depending on your security policy, a user may be able to logon with username
> and password if the smart card logon is not available. Can he logon if both
> the certificate and the private key have been deleted from the smart card??
> If you do not want a user to logon with a particular certificate, revoke the
> certificate and consider disabling the user account. For Windows 2000 it may
> take a computer up to a week to update it's CRL with the current one as the
> computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
> default publishes the changes to the current CRL daily. Windows will cache
> some certificate information such as that for EFS until computer is
> rebooted. You might also try rebooting the computer to see if there is a
> change in behavior. --- Steve
>
<snip>
Just one clarification...
Windows 2000 will also use delta CRLs if the MS04-11 patch is applied to
the system. Windows 2000 with MS04-11 uses the same certificate
validation process as Windows XP and Windows Server 2003.

If you are using Windows 2000, the deletion of a certificate will
require a reboot to clear the certificate, as mentioned by Steve.

Brian

• Next message: Fred: "CryptoAPI Key Import/Export"
• Previous message: Brian Komar: "Re: Problem with smart card login"
• In reply to: Steven L Umbach: "Re: Problem with smart card login"
• Next in thread: Steven L Umbach: "Re: Problem with smart card login"
• Reply: Steven L Umbach: "Re: Problem with smart card login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: MS CA service and publish CRL and AIA ... To have the windows 2000 CA automatically publish CRLs to another location, ... >>servers) as a CDP and AIA extension and check the box> for publishing the CRL ... >>checking the boxes to include the link in issued> certificate and CRL's). ... (microsoft.public.win2000.security) Re: Windows 2003 Kerberos error Event ID #8 ... The certificate is valid and the CRLS are uptodate. ... The user can logon sometimes. ... The CRL is huge but other sites are not having the same problem. ... >> Where can I find out what the error data bytes mean ... (microsoft.public.windows.server.security) Re: Problem with smart card login ... >> and password if the smart card logon is not available. ... >> If you do not want a user to logon with a particular certificate, ... For Windows 2000 it ... (microsoft.public.win2000.security) Re: Problem with smart card login ... a user may be able to logon with username ... and password if the smart card logon is not available. ... If you do not want a user to logon with a particular certificate, ... computer does cache the CRL. ... (microsoft.public.win2000.security) invalid field "CRL Distribution Point" ... smart card. ... When I check the cert I can see that the CRL Distribution Point ... When I check this certificate in a windows ... (microsoft.public.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint