Re: Offline Smart Card Logon
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 10/22/04
- Previous message: David Cross [MS]: "Re: connect to the Certificate Server and get the Certificates information !"
- In reply to: MC: "Re: Offline Smart Card Logon"
- Next in thread: Miha Pihler: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Oct 2004 05:23:17 -0700
It may not be documented, but I do know this information authoritatively.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "MC" <seaedsit@hotmail.com> wrote in message news:eW4wZJ3tEHA.3680@TK2MSFTNGP10.phx.gbl... > David, > thanks for that important information. > > I couldn't find a statement that there's no revocation checking procedure > when working offline in any MS document... > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > news:eHQu1h2tEHA.3200@TK2MSFTNGP09.phx.gbl... >> Sorry Miha, but this time I have to correct you :-) >> >> smartcard logon, when performed offline, DOES NOT perform a revocation > check >> with a CRL. It uses the cached credential verifier and it will work >> indefinately, unless the enterprise has a policy to delete or expire the >> cached logons. >> >> -- >> >> >> David B. Cross [MS] >> >> -- >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> >> http://support.microsoft.com >> >> "MC" <seaedsit@hotmail.com> wrote in message >> news:efuqh40tEHA.3932@TK2MSFTNGP10.phx.gbl... >> > Mike, >> > >> > So it seems that there's a problem using smart card logon by mobile > users >> > who work often offline for longer time. >> > Of course I can set an external accessible URL in the CDP. My problem > is, >> > that those mobile clients are NOT connected to any network. >> > >> > So smart card logon would only work as long the notebooks have a vaild, >> > not >> > expired CRL in their cache. If the CRL has expired, smart card logon > would >> > fail, right ? >> > >> > Another problem is, that I can define the CRL expiration overlap time >> > to >> > only 12 hours. So, the mobile clients MUST go online BEFORE the CRL is >> > going >> > to expire and AFTER a new CRL will be published by the CA. >> > Since I can only define a 12 hour window, the clients have only 12 >> > hours >> > time to logon and download a valid "new" CRL. Is that true ? >> > >> > Thanks >> > MC >> > >> > >> > >> > "Miha Pihler" <mihap-news@atlantis.si> wrote in message >> > news:ecoNSRvtEHA.3628@tk2msftngp13.phx.gbl... >> >> Hi, >> >> >> >> Hi, >> >> >> >> For successful smart card logon, a valid CRL (certificate revocation >> >> list) >> >> must be available. You can add (you should add) a CDP (CRL >> >> Distribution >> >> Point) that is publicly available for the clients that travel for > longer >> >> periods of time (also your business partners (or their e-mail client) >> > might >> >> want to check validity of issued certificate if you will exchange > signed >> >> e-mails). You can have your CDP at e.g. http://cdp.domain.com/ where >> >> domain.com is your domain name and cdp.domain.com is address >> >> accessible >> > from >> >> the internet. Once your CA issues new CRL (it depends on your >> > configuration) >> >> or CRL is issued manually, you can copy (or automate transfer or) >> >> files >> >> to >> >> the URL that you defined as CDP. >> >> >> >> You can't add or edit CDP list on certificates that are already issued >> >> (if >> >> you do, certificate signature comes invalid). You have to add your >> >> additional CDP on your CA first. Once you made these change on CA, you >> > have >> >> to issue new certificates to users and these new certificates will >> >> include >> >> new CDP. >> >> >> >> Clients do cache the CRL and will use it as long as it is CRL is >> >> valid. >> >> >> >> Troubleshooting Certificate Status and Revocation >> >> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx >> >> >> >> Mike >> >> >> >> "MC" <seaedsit@hotmail.com> wrote in message >> >> news:OQ1sd8utEHA.2116@TK2MSFTNGP14.phx.gbl... >> >> > Hi, >> >> > >> >> > It's possible to logon to windows xp via smart cards even there's no >> >> network >> >> > connection (offline due to cached credentials). >> >> > >> >> > How does windows check if the smart card user certificate is valid > when >> >> it's >> >> > not possible to access a valid CRL ? >> >> > >> >> > Does a windows xp client cache the last known valid CRL ? >> >> > >> >> > Is it still possible to logon offline via smart cards when the CRL > has >> >> > expired ? >> >> > >> >> > Is there any procedure how to deal with notebook users, who often > work >> >> > offline for a long time (maybe serveral weeks) ? >> >> > >> >> > >> >> > Thanks >> >> > MC >> >> > >> >> > >> >> > >> >> > >> >> >> >> >> > >> > >> >> > >
- Previous message: David Cross [MS]: "Re: connect to the Certificate Server and get the Certificates information !"
- In reply to: MC: "Re: Offline Smart Card Logon"
- Next in thread: Miha Pihler: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
