User can logon after certificate is revoked

Discussion in 'Microsoft Windows 2000 Security' started by E.M.George, Oct 22, 2003.

  1. E.M.George

    E.M.George Guest

    The problem I am running into is this:

    We have set the user to require a smart card for logon. We
    issue a smart card. and later we revoke the certificate.
    The user can still logon with the revoked certificate on
    the smartcard.


    Development Environment:
    Windows 2000 Domain, latest service packs and updates
    2 x DC's
    1 Enterprise CA
    1 Ensterprise Sub-CA
    5 workstations XP\2000Pro

    CRL publishing is set for 1 hour.

    What happens is that the user, even after the new CRL is
    published, can still logon using the smartacrd with a
    revoked certificate.

    We have even downloaded and manually installed the CRL on
    each server\workstation.

    Any help is greatly appreciated.
     
    E.M.George, Oct 22, 2003
    #1
    1. Advertisements

  2. How long is the CRL valid for?
    If the DC's have the old CRL cached, they will use that until the old CRL
    expires.

    Thanks,
    Vishal[MSFT]

    --
    This posting is provided "AS IS" with no warranties, and confers no rights
    "E.M.George" <> wrote in message
    news:37a201c398d7$a52dd220$...
    > The problem I am running into is this:
    >
    > We have set the user to require a smart card for logon. We
    > issue a smart card. and later we revoke the certificate.
    > The user can still logon with the revoked certificate on
    > the smartcard.
    >
    >
    > Development Environment:
    > Windows 2000 Domain, latest service packs and updates
    > 2 x DC's
    > 1 Enterprise CA
    > 1 Ensterprise Sub-CA
    > 5 workstations XP\2000Pro
    >
    > CRL publishing is set for 1 hour.
    >
    > What happens is that the user, even after the new CRL is
    > published, can still logon using the smartacrd with a
    > revoked certificate.
    >
    > We have even downloaded and manually installed the CRL on
    > each server\workstation.
    >
    > Any help is greatly appreciated.
    >
    >
    >
    >
    >
    >
    >
    >
     
    Vishal Agarwal[MSFT], Oct 23, 2003
    #2
    1. Advertisements

  3. E.M.George

    scott_thomas007

    Joined:
    Jan 4, 2011
    Messages:
    1
    Likes Received:
    0
    Revocation Verification during SC logon

    Bonjour All,

    We have set up a 3rd party CA at our end and successfully performed the Smart card logon from hierarchical/sub CA. But When i revoke a certificate and publish the CRL the client can still do SC logon. I tried to check the status of my certificate via 2 commands :

    1) certutil -urlfetch -verify certificate_name.cer

    This command shows that certificate is revoked.

    2) certutil -url certificate_name.cer

    From CDP verification i get "Verified"

    But from AIA verification i get "Revoked"

    I have tried the command on both Windows Server 2003 & 2008

    Kindly help where is the issue ?

    Best Regards

    Scott Thomas
     
    scott_thomas007, Jan 4, 2011
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Klementsson

    Re: Revoked wrong certificate

    Andreas Klementsson, Jul 17, 2003, in forum: Microsoft Windows 2000 Security
    Replies:
    0
    Views:
    613
    Andreas Klementsson
    Jul 17, 2003
  2. Mike Danseglio \(MSFT\)

    Re: Revoked wrong certificate

    Mike Danseglio \(MSFT\), Jul 17, 2003, in forum: Microsoft Windows 2000 Security
    Replies:
    0
    Views:
    523
    Mike Danseglio \(MSFT\)
    Jul 17, 2003
  3. seb
    Replies:
    6
    Views:
    295
    Steven L Umbach
    Sep 27, 2004
  4. ohaya

    Can MS Certificate Services create Subordinate CA Certificate?

    ohaya, Mar 2, 2005, in forum: Microsoft Windows 2000 Security
    Replies:
    2
    Views:
    1,152
    ohaya
    Mar 3, 2005
  5. Paul Adare

    Re: Question on autoenrollment process with revoked certificate.

    Paul Adare, Apr 1, 2007, in forum: Microsoft Windows 2000 Security
    Replies:
    0
    Views:
    343
    Paul Adare
    Apr 1, 2007
Loading...

Share This Page