AD PKI question

Hi guys,

I have a scenario where a user authenticates the AD with a certificate. This
certificate was issued by Microsoft Certificate server (integrated with AD)
and so, this certificate is on the smartcard and in the user object.

This works great, except when the the admin want to revocate the
certificate.

After the revocation, the admin forces the revocation list, and this list
contains the user certificate.

If the user attempts to authenticate it works fine. IF we wait 24 hours,
then the user cannot authenticate.

So I assume that the DCs will not download the new CRL file more than once
per day.

Do you know where I can ask my DCs to do it more frequently ?

Thanks for your help.

Regards

--

Frédéric ESNOUF (MCSE - ISA MVP)
Email : (E-Mail Removed)
Visit ISAServerFR.org
You plan to implement Quarantine on ISA 2004 ?
Check this : http://www.esnouf.net/qss_main.htm
Download QSS, learn with videos and screenshots...
Buy my book onine : www.esnouf.net, and click the Amazon link.

In news:(E-Mail Removed),
Frédéric ESNOUF (ISA MVP) <(E-Mail Removed)> stated, which I commented on
below:
> Hi guys,
>
> I have a scenario where a user authenticates the AD with a
> certificate. This certificate was issued by Microsoft Certificate
> server (integrated with AD) and so, this certificate is on the
> smartcard and in the user object.
> This works great, except when the the admin want to revocate the
> certificate.
>
> After the revocation, the admin forces the revocation list, and this
> list contains the user certificate.
>
> If the user attempts to authenticate it works fine. IF we wait 24
> hours, then the user cannot authenticate.
>
> So I assume that the DCs will not download the new CRL file more than
> once per day.
>
> Do you know where I can ask my DCs to do it more frequently ?
>
> Thanks for your help.
>
> Regards

You can go into the CA's properties and change the CRL update frequency.

Did you know there's a specific group for PKI? It's a great group with
specific expert help. Any future questions, I would suggest to try there.

microsoft.public.security.crypto

:-)

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.
===========================

Hi Ace,

I will post my question to this group.

For your info, my problem is not to generate the new CRL... but the fact
that the DCs dont check this CRL at each authentication. It seems that the
download it every X hours (around 24) and "cache" it, so don't see that a
certificate is revoked between 2 downloads.

Thanks again.

Regards

--

Frédéric ESNOUF (MCSE - ISA MVP)
Email : (E-Mail Removed)
Visit ISAServerFR.org
You plan to implement Quarantine on ISA 2004 ?
Check this : http://www.esnouf.net/qss_main.htm
Download QSS, learn with videos and screenshots...
Buy my book onine : www.esnouf.net, and click the Amazon link.
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
message news:(E-Mail Removed)...
> In news:(E-Mail Removed),
> Frédéric ESNOUF (ISA MVP) <(E-Mail Removed)> stated, which I commented
> on below:
>> Hi guys,
>>
>> I have a scenario where a user authenticates the AD with a
>> certificate. This certificate was issued by Microsoft Certificate
>> server (integrated with AD) and so, this certificate is on the
>> smartcard and in the user object.
>> This works great, except when the the admin want to revocate the
>> certificate.
>>
>> After the revocation, the admin forces the revocation list, and this
>> list contains the user certificate.
>>
>> If the user attempts to authenticate it works fine. IF we wait 24
>> hours, then the user cannot authenticate.
>>
>> So I assume that the DCs will not download the new CRL file more than
>> once per day.
>>
>> Do you know where I can ask my DCs to do it more frequently ?
>>
>> Thanks for your help.
>>
>> Regards
>
> You can go into the CA's properties and change the CRL update frequency.
>
> Did you know there's a specific group for PKI? It's a great group with
> specific expert help. Any future questions, I would suggest to try there.
>
> microsoft.public.security.crypto
>
> :-)
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
> you to easily find, track threads, cross-post, sort by date, poster's
> name, watched threads or subject.
>
> Not sure how? It's easy:
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Windows Server Directory Services
> Microsoft Certified Trainer
> Assimilation Imminent. Resistance is Futile.
> Infinite Diversities in Infinite Combinations.
>
> The only thing in life is change. Anything more is a blackhole consuming
> unnecessary energy.
> ===========================
>

In news:(E-Mail Removed),
Frédéric ESNOUF (ISA MVP) <(E-Mail Removed)> stated, which I commented on
below:
> Hi Ace,
>
> I will post my question to this group.
>
> For your info, my problem is not to generate the new CRL... but the
> fact that the DCs dont check this CRL at each authentication. It
> seems that the download it every X hours (around 24) and "cache" it,
> so don't see that a certificate is revoked between 2 downloads.
>
> Thanks again.
>
> Regards

As far as I know, if it was just revoked, the DCs won't see it until the
next publication period which by default, if I remember correctly, is 24
hours.

Check with that group and see if it helps.

Ace