NPS CRL Checks Server 2008 r2
-
Thursday, February 21, 2013 9:44 AM
I am using cert authenticaton for wireless network
the client have computer certs and and NPS set to: Microsoft: smartcard or other certificate.
Authentication works.
My problem is with cert revokation.
I revoke a cert and publish the list. but still the NPS allows Authentication.
i suspect this has to do with some registry settings i found here
http://technet.microsoft.com/en-us/library/cc771995(v=ws.10).aspx
of the 4 setting in the above link.
i have only NoRootRevocationCheck set to 1
the others are missing ,
is this the default or has someone/somthing deleted the settings?
- Edited by YakovB Thursday, February 21, 2013 11:27 AM
All Replies
-
Thursday, February 21, 2013 12:58 PM
this is because NPS uses cached CRL and will use it until cached CRL expires. To disable logon for a user account you have to disable it in Active Directory.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.- Marked As Answer by YakovB Thursday, February 21, 2013 8:27 PM
-
Thursday, February 21, 2013 1:27 PM
if i try "certutil -urlcache * delete" on the NPS
would this not force the NPS to renew CRL and then block the client?
-
Thursday, February 21, 2013 2:14 PM not always. Revocation is not a immediate measure. If you want to block particular user from logging to network, you have to disable it's account first.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool. -
Thursday, February 21, 2013 8:29 PM
hhmmm...
we are using compter certs, so disabling a computer account just because i want to block access to wireless network is a bit drastic..
.png)
