Re: CRL caching and smart card logon

• Previous message: Miha Pihler [MVP]: "Re: CRL caching and smart card logon"
• In reply to: Miha Pihler [MVP]: "Re: CRL caching and smart card logon"
• Next in thread: S. Pidgorny : "Re: CRL caching and smart card logon"
• Reply: S. Pidgorny : "Re: CRL caching and smart card logon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Nov 2005 22:36:51 +0200

Hi,

thanks for a quick response. By CRL lifetime, do you mean CRL's property
"Next update", when (at latest) the new CRL should be received? In theory,
if CRL point is down when this specific time arrives, would this cause
trouble? Or do DC's check the CRL also before that specific time? In case it
would have been updated before the deadline...

BR, Uljas

"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ue6s5jF9FHA.3804@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> Smartcard logon, when performed offline, does not perform a revocation
> check with a CRL. It uses the cached credential verifier and it will work
> indefinitely, unless the enterprise has a policy to delete or expire the
> cached logons.
>
> Other then this, CRL has its "lifetime" which is configured on CA server
> (e.g. one week). After this date is reached and if you can't access new
> CRL -- you can expect to run into problems.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Uljas Käki" <someone@microsoft.com> wrote in message
> news:dmfo4t$nae$1@phys-news4.kolumbus.fi...
>> We are implementing smart card logon with third-party certificates. We
>> have Windows 2003 servers, Windows XP workstations and Windows 2003 CA
>> (for domain controller certificates).
>>
>> As far as I have found out, when you log on with third-party
>> certificates, domain controllers check the published CRL, which is
>> published in internet. How about situation, when CRL is not available?
>> For example, the CRL server or WAN link is down for some reason, or the
>> computer where the user is logging on, does not have network connection
>> (the user must have logged on to that computer earlier succesfully, of
>> course).
>>
>> I know that in this kind of situations things work ok, for a while at
>> least. But if CRL server is down, or no domain controller is available
>> (cached credentials) for longer time, when can I start expecting trouble?
>> Theoretically, this situation could be that a person is on a vacation or
>> on a long business trip with his/her laptop, and has no connection to DC
>> or CRL point for, say, two months. Would there be some kind of trouble?
>>
>> Are there some settings which would affect any of these?
>>
>> Thanks, Uljas
>>
>
>

• Previous message: Miha Pihler [MVP]: "Re: CRL caching and smart card logon"
• In reply to: Miha Pihler [MVP]: "Re: CRL caching and smart card logon"
• Next in thread: S. Pidgorny : "Re: CRL caching and smart card logon"
• Reply: S. Pidgorny : "Re: CRL caching and smart card logon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]