Smart Card Logon + CRL refresh period

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello

We have setup a smart card logon using an external CA. It works fine
When we revoke a certificate through the external CA the CRL is published immediately in the Active Directory. The user can still logon for about 15 minutes or so. After that he gets a "can not authenticate error". If the revoke certificate (actually it was put on hold) is reinstated then it takes another 15 minutes or so for the user to be able to login again
How can we force the Domain controller to refresh the CRL in memory?
Or how can we delete the CRL from the cache so a fresh CRL will be fetched
Is there a place where we can set the time that the CRL is checked during the smart card logon

Thanks in advance

Nikolas Mihalopoulos
 
microsoft.public.win2000.security news group, =?Utf-8?B?Tmlrb2xhcw==?=
We have setup a smart card logon using an external CA. It works fine.
When we revoke a certificate through the external CA the CRL is published immediately in the Active Directory. The user can still logon for about 15 minutes or so. After that he gets a "can not authenticate error". If the revoke certificate (actually it was put on hold) is reinstated then it takes another 15 minutes or so for the user to be able to login again.
How can we force the Domain controller to refresh the CRL in memory?
Or how can we delete the CRL from the cache so a fresh CRL will be fetched?
Is there a place where we can set the time that the CRL is checked during the smart card logon?
Click to expand...

The short answer is no. The longer answer can be found here:

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/WinXPPro/support/tshtcrl.asp

or

http://tinyurl.com/vtgx
 
correct, the CRL will be cached until it expires. to shortne the cache
time, you need to shorten the CRL validity period which will have the
sometimes negative side effect of more network as every client downloads the
CRL, etc.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Paul Adare said:
microsoft.public.win2000.security news group, =?Utf-8?B?Tmlrb2xhcw==?=
Click to expand...
published immediately in the Active Directory. The user can still logon for
about 15 minutes or so. After that he gets a "can not authenticate error".
If the revoke certificate (actually it was put on hold) is reinstated then
it takes another 15 minutes or so for the user to be able to login again.
 
Back
Top