Smart Card Logon + CRL refresh period

G

Guest

Hello

We have setup a smart card logon using an external CA. It works fine
When we revoke a certificate through the external CA the CRL is published immediately in the Active Directory. The user can still logon for about 15 minutes or so. After that he gets a "can not authenticate error". If the revoke certificate (actually it was put on hold) is reinstated then it takes another 15 minutes or so for the user to be able to login again
How can we force the Domain controller to refresh the CRL in memory?
Or how can we delete the CRL from the cache so a fresh CRL will be fetched
Is there a place where we can set the time that the CRL is checked during the smart card logon

Thanks in advance

Nikolas Mihalopoulos
 
P

Paul Adare

microsoft.public.win2000.security news group, =?Utf-8?B?Tmlrb2xhcw==?=
We have setup a smart card logon using an external CA. It works fine.
When we revoke a certificate through the external CA the CRL is published immediately in the Active Directory. The user can still logon for about 15 minutes or so. After that he gets a "can not authenticate error". If the revoke certificate (actually it was put on hold) is reinstated then it takes another 15 minutes or so for the user to be able to login again.
How can we force the Domain controller to refresh the CRL in memory?
Or how can we delete the CRL from the cache so a fresh CRL will be fetched?
Is there a place where we can set the time that the CRL is checked during the smart card logon?
Click to expand...

The short answer is no. The longer answer can be found here:

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/WinXPPro/support/tshtcrl.asp

or

http://tinyurl.com/vtgx
 
D

David Cross [MS]

correct, the CRL will be cached until it expires. to shortne the cache
time, you need to shorten the CRL validity period which will have the
sometimes negative side effect of more network as every client downloads the
CRL, etc.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Paul Adare said:
microsoft.public.win2000.security news group, =?Utf-8?B?Tmlrb2xhcw==?=
Click to expand...
published immediately in the Active Directory. The user can still logon for
about 15 minutes or so. After that he gets a "can not authenticate error".
If the revoke certificate (actually it was put on hold) is reinstated then
it takes another 15 minutes or so for the user to be able to login again.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

User can logon after certificate is revoked 2
CRL caching and smart card logon 3
Smart Card logon on W2K Network... 1
Certificate revocation in VPN smart card connection under win2003 2
HELP....smart card certificate was not trusted - logon denied ! 3
Changing CA CRL's 4
Extreme problems with CRL checking - because of Active Directory? 3
Kerberos certificate not valid for the requested usage 1

Top