Re: Offline Smart Card Logon
From: MC (seaedsit_at_hotmail.com)
Date: 10/21/04
- Next message: Miha Pihler: "Re: multiple certificates on a smartcard?"
- Previous message: PK: "Re: Certificate Renewal / Smart Cards"
- In reply to: PK: "Re: Offline Smart Card Logon"
- Next in thread: PK: "Re: Offline Smart Card Logon"
- Reply: PK: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Oct 2004 23:18:00 +0200
Did you boot your xp workstation offline, or did you disconnect it from
network after logon ?
if the xp workstation is running for longer time with a logged on user, the
kerberos ticket is going to expire after 10 hours by default I think. After
that time period the kerberos ticket must be renewed. To perform the
kerberos ticket renewal, the private key on the smart card is needed. So
user input would be required.
If the workstation is bootet offline, the user gets no "new" kerberos
ticket, so there should be no need to contact a DC, because cashed
credentials are used.
MC
"PK" <pk@no.spam> wrote in message
news:OQMyBv6tEHA.3788@TK2MSFTNGP09.phx.gbl...
> My testing also confirms what David says.
>
> However, I noticed the other day that if you configure smartcard removal
> behaviour to lock the screen, then the client machine (xp) seems to need
> contact the domain controller. A gotcha, for me at least...
> Or could xp offline be configured to even recover from smartcard removal
and
> re-insert?
>
> PK
>
>
>
> "David Cross [MS]" <dcross@online.microsoft.com> skrev i meddelandet
> news:eHQu1h2tEHA.3200@TK2MSFTNGP09.phx.gbl...
> > Sorry Miha, but this time I have to correct you :-)
> >
> > smartcard logon, when performed offline, DOES NOT perform a revocation
> check
> > with a CRL. It uses the cached credential verifier and it will work
> > indefinately, unless the enterprise has a policy to delete or expire the
> > cached logons.
> >
> > --
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "MC" <seaedsit@hotmail.com> wrote in message
> > news:efuqh40tEHA.3932@TK2MSFTNGP10.phx.gbl...
> > > Mike,
> > >
> > > So it seems that there's a problem using smart card logon by mobile
> users
> > > who work often offline for longer time.
> > > Of course I can set an external accessible URL in the CDP. My problem
> is,
> > > that those mobile clients are NOT connected to any network.
> > >
> > > So smart card logon would only work as long the notebooks have a
vaild,
> > > not
> > > expired CRL in their cache. If the CRL has expired, smart card logon
> would
> > > fail, right ?
> > >
> > > Another problem is, that I can define the CRL expiration overlap time
to
> > > only 12 hours. So, the mobile clients MUST go online BEFORE the CRL is
> > > going
> > > to expire and AFTER a new CRL will be published by the CA.
> > > Since I can only define a 12 hour window, the clients have only 12
hours
> > > time to logon and download a valid "new" CRL. Is that true ?
> > >
> > > Thanks
> > > MC
> > >
> > >
> > >
> > > "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> > > news:ecoNSRvtEHA.3628@tk2msftngp13.phx.gbl...
> > >> Hi,
> > >>
> > >> Hi,
> > >>
> > >> For successful smart card logon, a valid CRL (certificate revocation
> > >> list)
> > >> must be available. You can add (you should add) a CDP (CRL
Distribution
> > >> Point) that is publicly available for the clients that travel for
> longer
> > >> periods of time (also your business partners (or their e-mail client)
> > > might
> > >> want to check validity of issued certificate if you will exchange
> signed
> > >> e-mails). You can have your CDP at e.g. http://cdp.domain.com/ where
> > >> domain.com is your domain name and cdp.domain.com is address
accessible
> > > from
> > >> the internet. Once your CA issues new CRL (it depends on your
> > > configuration)
> > >> or CRL is issued manually, you can copy (or automate transfer or)
files
> > >> to
> > >> the URL that you defined as CDP.
> > >>
> > >> You can't add or edit CDP list on certificates that are already
issued
> > >> (if
> > >> you do, certificate signature comes invalid). You have to add your
> > >> additional CDP on your CA first. Once you made these change on CA,
you
> > > have
> > >> to issue new certificates to users and these new certificates will
> > >> include
> > >> new CDP.
> > >>
> > >> Clients do cache the CRL and will use it as long as it is CRL is
valid.
> > >>
> > >> Troubleshooting Certificate Status and Revocation
> > >> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
> > >>
> > >> Mike
> > >>
> > >> "MC" <seaedsit@hotmail.com> wrote in message
> > >> news:OQ1sd8utEHA.2116@TK2MSFTNGP14.phx.gbl...
> > >> > Hi,
> > >> >
> > >> > It's possible to logon to windows xp via smart cards even there's
no
> > >> network
> > >> > connection (offline due to cached credentials).
> > >> >
> > >> > How does windows check if the smart card user certificate is valid
> when
> > >> it's
> > >> > not possible to access a valid CRL ?
> > >> >
> > >> > Does a windows xp client cache the last known valid CRL ?
> > >> >
> > >> > Is it still possible to logon offline via smart cards when the CRL
> has
> > >> > expired ?
> > >> >
> > >> > Is there any procedure how to deal with notebook users, who often
> work
> > >> > offline for a long time (maybe serveral weeks) ?
> > >> >
> > >> >
> > >> > Thanks
> > >> > MC
> > >> >
> > >> >
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>
- Next message: Miha Pihler: "Re: multiple certificates on a smartcard?"
- Previous message: PK: "Re: Certificate Renewal / Smart Cards"
- In reply to: PK: "Re: Offline Smart Card Logon"
- Next in thread: PK: "Re: Offline Smart Card Logon"
- Reply: PK: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
