Re: forced CRL refresh/update with EAP-TLS

Tech-Archive recommends: Fix windows errors by optimizing your registry

anonymous_at_discussions.microsoft.com
Date: 02/20/04 

Date: Thu, 19 Feb 2004 17:34:06 -0800

My understanding of CRL processing is that any application
call CryptoAPI for CRL processing, and that the CA
software makes CRL information available for CRL
processing as applications so request.

The URL from the MSFT site I posted previously included
the words "it is also possible
>> to store a local copy of the CRL on the IAS server" -
which would not seem consistent with your comment of IAS
not storing anything.

It does not make sense to me that IAS would store anything
either. It does however make sense that the CryptoAPI
processing that IAS does call could in fact store or cache
the CRL - much in the same way that IIS does. (see
http://support.microsoft.com/default.aspx?scid=kb;EN-
US;289749 for a discussion about CRL caching and IIS).

How can I force a flush or ensure that the CRL DP in the
cert. is "freshly" retrieved - as opposed to a potentially
stale one inside CryptoAPI - so that IAS will block
someone.

Thanks....

I suggest that IAS needs to make the correct sort of
CryptoAPI calls.
>-----Original Message-----
>The storage of the local CRL has nothing to do with IAS.
>IAS does NOT store anything, the PKI infrastructure does
that, IAS is just a
>consumer of that
>
>
>--
>==========================================================
=
>This posting is provided "AS IS" with no warranties and
confers no rights
>==========================================================
=
>
>
>"Paul" <anonymous@discussions.microsoft.com> wrote in
message
>news:d91c01c3f038$25d58190$a101280a@phx.gbl...
>> I am familiar with CRL DP...but many products have a way
>> to have some "control" on caching this so that CRL
>> retrieval does not become a authentication throttle due
>> CRL retrieval - especially if the CRL DP has not
changed.
>>
>> The information at URL
>> http://www.microsoft.com/technet/treeview/default.asp?
>> url=/technet/prodtechnol/winxppro/deploy/ed80211.asp
would
>> imply that IAS does indeed store a CRL (see the
following).
>>
>> "By default the IAS server uses the CRL distribution
>> points in the certificates. However, it is also possible
>> to store a local copy of the CRL on the IAS server. In
>> this case, the local CRL is used during certificate
>> revocation checking. If a new CRL is manually published
to
>> the Active Directory, the local CRL on the IAS server is
>> not updated. The local CRL is updated when it expires.
>> This can create a situation wherein a certificate is
>> revoked, the CRL is manually published, but the IAS
server
>> still allows the connection because the local CRL has
not
>> yet been updated."
>>
>> Which seems to imply both are possible.
>> >-----Original Message-----
>> >IAS does not store CRL. Each client certificate has a
CRL
>> distribution
>> >points, which is a URL link that publishes the CRL for
>> that cert. IAS goes
>> >that site to check the client cert's revocation.
>> >
>> >--
>>
>=========================================================
>> >This post is provided AS IS with no warranties, and
>> confer no rights
>>
>=========================================================
>> >
>> >
>> >"Paul" <anonymous@discussions.microsoft.com> wrote in
>> message
>> >news:e1fa01c3f027$e8199f90$a401280a@phx.gbl...
>> >> Short of waiting until W2K or W2K3 IAS has detected
that
>> >> the CRL has expired - and therefore retrieved a new
one,
>> >> how can the CRL stored by IAS be updated (or deleted
to
>> >> force a read/refresh).
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: forced CRL refresh/update with EAP-TLS
    ... IAS doesn't store the CRL, ... IAS uses certificate to identify and validate the user credentials. ...
    (microsoft.public.internet.radius)
  • RE: RADIUS IAS CRL CHECK
    ... However, when the workstation is turned on, it can establish a ... It seems that the IAS ignores the CRL. ... certificates' in the DC, we do get an error of "The certificate is ...
    (microsoft.public.internet.radius)
  • Re: IAS CRL Configuration
    ... Essentially I am looking for how to review, control, initiate, verify ... that the CRL is being used/retreived/loaded by IAS. ... says that the CRL will be retreived when the previous one expires. ... certificate for which you want to configure expiration paramaters. ...
    (microsoft.public.internet.radius)
  • Re: IAS CRL problem
    ... one with CA and IAS installed the other ... If I revoke the certificate of the user and then try to authenticate ... Some how the CRL isn't correctly updated to the other IAS server. ...
    (microsoft.public.internet.radius)
  • Re: IAS + CRL Usage (PEAP/EAS etc)
    ... > I am having a weird problem but I am not sure if it is a fault or what ... > I have IAS authenticating an 802.11g AP using AES/PEAP. ... > I can establish a certificate and authenticate my session without ... now I revoke my certificate - it shows in the CRL - ...
    (microsoft.public.windows.server.networking)