RE: RADIUS IAS CRL CHECK

From: Miguelito <Miguelito@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Nov 2008 02:21:01 -0800

"powersnakop@xxxxxxxxx" wrote:

We revoked a computer certification, and published a new crl with this
cert. in the revocation list.
However, when the workstation is turned on, it can establish a
connection to the network.
It seems that the IAS ignores the CRL (or doesn't check CRL at all).

We know that the IAS will ignore new CRL until, that old one has
expired, so we waited until the old CRL expired, and then ran the
check.

Moreover, we added to registery the dword "IgnoreNoRevocationCheck"
and set its value to 0. It still doesn't help.

If we put the workstation's certification in the 'Untrusted
certificates' in the DC, we do get an error of "The certificate is
revoked", yet it was only a test and definitly not a solution.
My question is, how we should tell the IAS to check the new CRL, and
verify the workstations' certificates?
We have the IAS installed on two Domain controllers.

Hola ,creo que tu problema es porque no tienes paciencia, a mí me ocurrió lo
mismo. Te explicEl período de publicación de una CRL lo establece el
administrador de la entidad emisora de certificados. No obstante, el período
de validez de la CRL se extiende desde el período de publicación para
permitir la replicación de Active Directory. De forma predeterminada, los
Servicios de Certificate Server extienden el período de publicación un 10%
(hasta un máximo de 12 horas) para establecer el período de validez. De este
modo, por ejemplo, si una entidad emisora de certificados publica una CRL
cada 24 horas, el período de validez se establece en 26,4 horas.
Además, existe una desfase de reloj de 10 minutos más que se agregan al
período de validez en cualquier extremo del período de publicación, por lo
que una CRL será válida 10 minutos antes del inicio de su período de
publicación para admitir cualquier variación en la configuración del reloj
del equipo

Espero que te ayude
.

Prev by Date: Re: IAS logging to remote SQLServer 2005
Next by Date: MS IAS and Cisco IOS
Previous by thread: IAS logging to remote SQLServer 2005
Next by thread: MS IAS and Cisco IOS
Index(es):
- Date
- Thread

Relevant Pages

RADIUS IAS CRL CHECK
... We revoked a computer certification, and published a new crl with this ... However, when the workstation is turned on, it can establish a ... It seems that the IAS ignores the CRL. ...
(microsoft.public.access.security)
RADIUS IAS CRL CHECK
... We revoked a computer certification, and published a new crl with this ... However, when the workstation is turned on, it can establish a ... It seems that the IAS ignores the CRL. ...
(microsoft.public.security)
RADIUS IAS CRL CHECK
... We revoked a computer certification, and published a new crl with this ... However, when the workstation is turned on, it can establish a ... It seems that the IAS ignores the CRL. ...
(microsoft.public.internet.radius)
Re: Proposal for a new PKI model (At least I hope its new)
... it is online and it is dynamic. ... What is your solution in place of PKI and certificates? ... > distributed real-time CRL model. ... absolutely know all possible relying parties ... ...
(sci.crypt)
RE: CLR and AIA publishing properties unclear
... enterprise issuing CA and a web server hosting CRL and AIA for external ... include path in certificates. ... I do however publish CRL and deltas, CRL path should be ... should be included in certificates and delta CRL path in CRL's. ...
(microsoft.public.windows.server.general)