Revocation error when logging onto a Win2k domain with a smartcard

  • Thread starter Thread starter Dave Heckford
  • Start date Start date
D

Dave Heckford

Hi,

I'm having quite a few problems with Smartcard logon. Each time I try
to logon to certain Win2k Professional workstation I get the following
message:-
"The revocation function was unable to check revocation
because the revocation server was offline"

To elimate sites I have moved a workstation that has this problem from
one site to another but the problem persists. I have removed the
workstation from the domain and re-added it back in, No difference. So
far all I know is if you use ctrl+alt+del everything is OK but as soon
as you use a smartcard I keep getting the error message.

As far as I'm aware the CRL's are replicating around the domain
controllers fine and are updating without user intervention. If anyone
can help or suggest any ideas that I can try I'd be very greatful.

Thanks,

Dave
 
Hi Dave-

From the machine where you see this error can you reach the specified CRL?
CRLs are commonly HTTP URLs, possibly LDAP ones. If you don't recall the
specific URLs you should be able to find them by opening the Certificates
snapin for the user or machine and opening the specific certificate.

If the certificate is one on the smartcard you may need to use software from
the manufacturer to look at the certificate fields.

The essential idea is to make sur ethat you can get to the CRL from that
client. Please repost and let us know if this helps.
 
microsoft.public.win2000.security news group, Dave Heckford
As far as I'm aware the CRL's are replicating around the domain
controllers fine and are updating without user intervention. If anyone
can help or suggest any ideas that I can try I'd be very greatful.
Click to expand...

You'll need to describe your PKI in more detail for us here. There are a
number of requirements regarding CRLs and smart cards, and without
details of your PKI, it is going to be tough to help you out here.

In the interim, this may help somewhat:

http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.ms
px

or

http://tinyurl.com/4kbmn

Also check out
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245

Although this is for 3rd paty CAs, the requirements are the same for
Windows Server CAs it is just that most of the requirements will be
taken care of for you.
 
Hi Tim,

I've tried connecting to the crl location via internet explorer and
get prompted to download a file, I'm presuming this file is the crl.
When I click save it asks for a location to save to so I tell it to go
in the Temporary Internet files within Documents and settings as I
believe that is the correct location for it. I'm assuming with this
action the client machine can see the CDP correctly to find the CRL.

Thanks,

Dave
 
Back
Top