Re: CRL caching and smart card logon

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 11/28/05

  • Next message: Uljas Käki: "Re: CRL caching and smart card logon" 
    Date: Mon, 28 Nov 2005 21:19:00 +0100

    Hi,

    Smartcard logon, when performed offline, does not perform a revocation check
    with a CRL. It uses the cached credential verifier and it will work
    indefinitely, unless the enterprise has a policy to delete or expire the
    cached logons.

    Other then this, CRL has its "lifetime" which is configured on CA server
    (e.g. one week). After this date is reached and if you can't access new
    CRL -- you can expect to run into problems. 

    -- 
Mike
Microsoft MVP - Windows Security
"Uljas Käki" <someone@microsoft.com> wrote in message 
news:dmfo4t$nae$1@phys-news4.kolumbus.fi...
> We are implementing smart card logon with third-party certificates. We 
> have Windows 2003 servers, Windows XP workstations and Windows 2003 CA 
> (for domain controller certificates).
>
> As far as I have found out, when you log on with third-party certificates, 
> domain controllers check the published CRL, which is published in 
> internet. How about situation, when CRL is not available? For example, the 
> CRL server or WAN link is down for some reason, or the computer where the 
> user is logging on, does not have network connection (the user must have 
> logged on to that computer earlier succesfully, of course).
>
> I know that in this kind of situations things work ok, for a while at 
> least. But if CRL server is down, or no domain controller is available 
> (cached credentials) for longer time, when can I start expecting trouble? 
> Theoretically, this situation could be that a person is on a vacation or 
> on a long business trip with his/her laptop, and has no connection to DC 
> or CRL point for, say, two months. Would there be some kind of trouble?
>
> Are there some settings which would affect any of these?
>
> Thanks, Uljas
>
  • Next message: Uljas Käki: "Re: CRL caching and smart card logon"

    Relevant Pages

    • Re: Problem with smart card login
      ... > and password if the smart card logon is not available. ... > If you do not want a user to logon with a particular certificate, ... For Windows 2000 it may ... > computer does cache the CRL. ...
      (microsoft.public.win2000.security)
    • Re: Offline Smart Card Logon
      ... smartcard logon, when performed offline, DOES NOT perform a revocation check ... > that those mobile clients are NOT connected to any network. ... > expired CRL in their cache. ... >> want to check validity of issued certificate if you will exchange signed ...
      (microsoft.public.windows.server.security)
    • Re: Windows 2003 Kerberos error Event ID #8
      ... The certificate is valid and the CRLS are uptodate. ... The user can logon sometimes. ... The CRL is huge but other sites are not having the same problem. ... >> Where can I find out what the error data bytes mean ...
      (microsoft.public.windows.server.security)
    • Re: CRL caching and smart card logon
      ... Smartcard logon, when performed offline, does not perform a revocation check ... CRL has its "lifetime" which is configured on CA server ... Microsoft MVP - Windows Security ... > (cached credentials) for longer time, when can I start expecting trouble? ...
      (microsoft.public.security)
    • Re: CRL caching and smart card logon
      ... The DC won't accept outdated CRL and logon will fail by default. ... By CRL lifetime, do you mean CRL's property> "Next update", when the new CRL should be received? ... >> Microsoft MVP - Windows Security>> ... But if CRL server is down, or no domain controller is available>>> for longer time, when can I start expecting>>> trouble? ...
      (microsoft.public.security)