Re: Offline Smart Card Logon
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 10/21/04
- Next message: MC: "Re: Offline Smart Card Logon"
- Previous message: Glenn L: "Re: connect to the Certificate Server and get the Certificates information !"
- In reply to: MC: "Re: Offline Smart Card Logon"
- Next in thread: MC: "Re: Offline Smart Card Logon"
- Reply: MC: "Re: Offline Smart Card Logon"
- Reply: Miha Pihler: "Re: Offline Smart Card Logon"
- Reply: PK: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Oct 2004 05:21:29 -0700
Sorry Miha, but this time I have to correct you :-)
smartcard logon, when performed offline, DOES NOT perform a revocation check
with a CRL. It uses the cached credential verifier and it will work
indefinately, unless the enterprise has a policy to delete or expire the
cached logons.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "MC" <seaedsit@hotmail.com> wrote in message news:efuqh40tEHA.3932@TK2MSFTNGP10.phx.gbl... > Mike, > > So it seems that there's a problem using smart card logon by mobile users > who work often offline for longer time. > Of course I can set an external accessible URL in the CDP. My problem is, > that those mobile clients are NOT connected to any network. > > So smart card logon would only work as long the notebooks have a vaild, > not > expired CRL in their cache. If the CRL has expired, smart card logon would > fail, right ? > > Another problem is, that I can define the CRL expiration overlap time to > only 12 hours. So, the mobile clients MUST go online BEFORE the CRL is > going > to expire and AFTER a new CRL will be published by the CA. > Since I can only define a 12 hour window, the clients have only 12 hours > time to logon and download a valid "new" CRL. Is that true ? > > Thanks > MC > > > > "Miha Pihler" <mihap-news@atlantis.si> wrote in message > news:ecoNSRvtEHA.3628@tk2msftngp13.phx.gbl... >> Hi, >> >> Hi, >> >> For successful smart card logon, a valid CRL (certificate revocation >> list) >> must be available. You can add (you should add) a CDP (CRL Distribution >> Point) that is publicly available for the clients that travel for longer >> periods of time (also your business partners (or their e-mail client) > might >> want to check validity of issued certificate if you will exchange signed >> e-mails). You can have your CDP at e.g. http://cdp.domain.com/ where >> domain.com is your domain name and cdp.domain.com is address accessible > from >> the internet. Once your CA issues new CRL (it depends on your > configuration) >> or CRL is issued manually, you can copy (or automate transfer or) files >> to >> the URL that you defined as CDP. >> >> You can't add or edit CDP list on certificates that are already issued >> (if >> you do, certificate signature comes invalid). You have to add your >> additional CDP on your CA first. Once you made these change on CA, you > have >> to issue new certificates to users and these new certificates will >> include >> new CDP. >> >> Clients do cache the CRL and will use it as long as it is CRL is valid. >> >> Troubleshooting Certificate Status and Revocation >> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx >> >> Mike >> >> "MC" <seaedsit@hotmail.com> wrote in message >> news:OQ1sd8utEHA.2116@TK2MSFTNGP14.phx.gbl... >> > Hi, >> > >> > It's possible to logon to windows xp via smart cards even there's no >> network >> > connection (offline due to cached credentials). >> > >> > How does windows check if the smart card user certificate is valid when >> it's >> > not possible to access a valid CRL ? >> > >> > Does a windows xp client cache the last known valid CRL ? >> > >> > Is it still possible to logon offline via smart cards when the CRL has >> > expired ? >> > >> > Is there any procedure how to deal with notebook users, who often work >> > offline for a long time (maybe serveral weeks) ? >> > >> > >> > Thanks >> > MC >> > >> > >> > >> > >> >> > >
- Next message: MC: "Re: Offline Smart Card Logon"
- Previous message: Glenn L: "Re: connect to the Certificate Server and get the Certificates information !"
- In reply to: MC: "Re: Offline Smart Card Logon"
- Next in thread: MC: "Re: Offline Smart Card Logon"
- Reply: MC: "Re: Offline Smart Card Logon"
- Reply: Miha Pihler: "Re: Offline Smart Card Logon"
- Reply: PK: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
