H
huali
I am almost at my wit's end...
I setup a VPN server which allows only smart card user to be
authenticated in(using EAP-TLS).I have the VPN server ,an enterprise
CA(together with an backup Domain Controller) and a PDC installed in
different computers.VPN server has joined the domain.
I can use smart card to connect to the VPN server successfully,but my
problem is:when I revoked the certificate previously issued to the
smart card on CA side and published the CRL right after,how can i see
the effect immediately: the Smart card user being refused to connect
due to failed revocation checking?
I have tried all means,and search all materials I can get with no
luck.
1.I understand that there is a CRL cache in VPN server,and I delete
all the
files in the Internet temporary file folder and history file.and I
can guaranteen that the VPN server can access all the CDP(where
contain the updated information) listed in the user certificate's CDP
field.But the user can
still be authenticated in;
2.I setup a registry key :
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Value: StrongCRLCheck
DataType: REG_DWORD
and set value to be 1 or 2 ,but still no luck
3.I change the system time of VPN server to be 8 days later which past
the
effective period of CRL ,an error other than"The Certificate is
revoked" is
present"0x8009030c The logon attempt failed",and when I resync the
time,
the user can be authenticated in successfully again.
to be simple, how can I get an "The Certificate is revoked" message
right after
the certificate is revoked and avoid the effect of CRL cache?
Any help will be greatly appreciated!
I setup a VPN server which allows only smart card user to be
authenticated in(using EAP-TLS).I have the VPN server ,an enterprise
CA(together with an backup Domain Controller) and a PDC installed in
different computers.VPN server has joined the domain.
I can use smart card to connect to the VPN server successfully,but my
problem is:when I revoked the certificate previously issued to the
smart card on CA side and published the CRL right after,how can i see
the effect immediately: the Smart card user being refused to connect
due to failed revocation checking?
I have tried all means,and search all materials I can get with no
luck.
1.I understand that there is a CRL cache in VPN server,and I delete
all the
files in the Internet temporary file folder and history file.and I
can guaranteen that the VPN server can access all the CDP(where
contain the updated information) listed in the user certificate's CDP
field.But the user can
still be authenticated in;
2.I setup a registry key :
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Value: StrongCRLCheck
DataType: REG_DWORD
and set value to be 1 or 2 ,but still no luck
3.I change the system time of VPN server to be 8 days later which past
the
effective period of CRL ,an error other than"The Certificate is
revoked" is
present"0x8009030c The logon attempt failed",and when I resync the
time,
the user can be authenticated in successfully again.
to be simple, how can I get an "The Certificate is revoked" message
right after
the certificate is revoked and avoid the effect of CRL cache?
Any help will be greatly appreciated!