Re: TLS not accepting CRL
- From: "MichaelW - Melb.Aus." <MichaelWMelbAus@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 Aug 2005 16:07:03 -0700
Thanks for your prompt response - I had looked at that document (one of many)..
I am a little confused however.
Isn't the whole purpose of using TLS for client authentication? (we already
have encryption with RDP/TS). In essence from what I read is that the TS will
not check the CRL before establishing a TLS session.
In my eyes that seems to go against the whole being of a Trusted environment.
Am I reading this all wrong, or does TS truely not care about the CRL of a CA?
The way I read it:
I have a user on my network working from home - I allocate them a cert and
the msrdp52.msi and tell them to log on... fine! (That works)
However, that person leaves my company. I can't force them to delete the
file. I can force them to delete their certificate. I can't force them to
even update the CRL from the CA.... but I CAN revoke their certificate -
meaning: their certificate is no longer trusted.
I would have thought that when a client establishes a TLS session to the
Terminal Server - it would check the certificate, then check the CRL to see
if that certificate is revoked...
aparently this is not the case....
does anyone not find that weird?!
Maybe I am doing something wrong?! Has anyone actually got a certificate to
revocate and stop tls sessions?
I'll keep digging - this can't be a design flaw.
Once again, Vera, despite my frustrations - I appreciate your response.
"Vera Noest [MVP]" wrote:
> I have not used TLS myself, but this article seems to describe what
> you see: it is the certificate on the server which is checked, not
> on the client.
>
> 895433 - How to configure a Windows Server 2003 terminal server to
> use TLS for server authentication
> http://support.microsoft.com/?kbid=895433
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "=?Utf-8?B?TWljaGFlbFcgLSBNZWxiLkF1cy4=?=" <MichaelW -
> Melb.Aus.@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 22 aug 2005 in
> microsoft.public.windows.terminal_services:
>
> > Maybe I have all of this wrong..
> > Network:
> > Windows2003 w/ Terminal Services
> > Windows 2000 w/ Certificate Services (legacy - due to be
> > upgraded by not slated for >months)
> > XP w/ TSClient 2.5+
> >
> > I have the server and workstation communicating with each other
> > when I use TLS.
> > When I revoke teh certificate (and check that the certificate is
> > revoked) - the client still connects.
> >
> > Does the TLS on the terminal server actually check the
> > revocation of the certificate? I have checked the local cert
> > profile, and find the revocation listed (with my revoked
> > certificate) - but I can still connect.
> >
> > Have I got this wrong? from what I see, the TLS is looking to
> > see if the SERVER's certificate is valid (and doesn't care less
> > if mine - the client's - is or not).
> >
> > What I am trying to design is a way that I can roll out client
> > connections to many of our users "home" machines - without
> > having to install software.
> >
> > As a side point - I see from one of the threads, that tsweb
> > doesn't seem to support tls... any idea if that will ever
> > change? Really nice way to publish a terminalserver!
> >
> > Thanks in advance.
>
.
- Follow-Ups:
- Re: TLS not accepting CRL
- From: Alex Balcanquall [MSFT]
- Re: TLS not accepting CRL
- From: Vera Noest [MVP]
- Re: TLS not accepting CRL
- References:
- TLS not accepting CRL
- From: MichaelW - Melb.Aus.
- Re: TLS not accepting CRL
- From: Vera Noest [MVP]
- TLS not accepting CRL
- Prev by Date: Windows 2003 Terminal Services Web client and Cisco VPN Concentrator
- Next by Date: RE: Windows Server 2003 GPM/Windows 2000 TS GPO issue
- Previous by thread: Re: TLS not accepting CRL
- Next by thread: Re: TLS not accepting CRL
- Index(es):
Relevant Pages
|
Loading
