CRL caching and smart card logon

U

Uljas Käki

We are implementing smart card logon with third-party certificates. We have
Windows 2003 servers, Windows XP workstations and Windows 2003 CA (for
domain controller certificates).

As far as I have found out, when you log on with third-party certificates,
domain controllers check the published CRL, which is published in internet.
How about situation, when CRL is not available? For example, the CRL server
or WAN link is down for some reason, or the computer where the user is
logging on, does not have network connection (the user must have logged on
to that computer earlier succesfully, of course).

I know that in this kind of situations things work ok, for a while at least.
But if CRL server is down, or no domain controller is available (cached
credentials) for longer time, when can I start expecting trouble?
Theoretically, this situation could be that a person is on a vacation or on
a long business trip with his/her laptop, and has no connection to DC or CRL
point for, say, two months. Would there be some kind of trouble?

Are there some settings which would affect any of these?

Thanks, Uljas
 
M

Miha Pihler [MVP]

Hi,

Smartcard logon, when performed offline, does not perform a revocation check
with a CRL. It uses the cached credential verifier and it will work
indefinitely, unless the enterprise has a policy to delete or expire the
cached logons.

Other then this, CRL has its "lifetime" which is configured on CA server
(e.g. one week). After this date is reached and if you can't access new
CRL -- you can expect to run into problems.
 
U

Uljas Käki

Hi,

thanks for a quick response. By CRL lifetime, do you mean CRL's property
"Next update", when (at latest) the new CRL should be received? In theory,
if CRL point is down when this specific time arrives, would this cause
trouble? Or do DC's check the CRL also before that specific time? In case it
would have been updated before the deadline...

BR, Uljas
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Smart Card Logon + CRL refresh period 2
Smart Card logon on W2K Network... 1
User can logon after certificate is revoked 2
HELP....smart card certificate was not trusted - logon denied ! 3
Certificate revocation in VPN smart card connection under win2003 2
Changing CA CRL's 4
A Question for LDAP URL (namespace) for CA CRL and AIA Distribution Points 0
Smart Card Logon 1

Top