Thursday, February 21, 2013 9:44 AM
I am using cert authenticaton for wireless network
the client have computer certs and and NPS set to: Microsoft: smartcard or other certificate.
My problem is with cert revokation.
I revoke a cert and publish the list. but still the NPS allows Authentication.
i suspect this has to do with some registry settings i found here
of the 4 setting in the above link.
i have only NoRootRevocationCheck set to 1
the others are missing ,
is this the default or has someone/somthing deleted the settings?
- Edited by YakovB Thursday, February 21, 2013 11:27 AM
Thursday, February 21, 2013 12:58 PM
this is because NPS uses cached CRL and will use it until cached CRL expires. To disable logon for a user account you have to disable it in Active Directory.
- Marked As Answer by YakovB Thursday, February 21, 2013 8:27 PM
Thursday, February 21, 2013 1:27 PM
if i try "certutil -urlcache * delete" on the NPS
would this not force the NPS to renew CRL and then block the client?
Thursday, February 21, 2013 2:14 PMnot always. Revocation is not a immediate measure. If you want to block particular user from logging to network, you have to disable it's account first.
Thursday, February 21, 2013 8:29 PM
we are using compter certs, so disabling a computer account just because i want to block access to wireless network is a bit drastic..