none
MIM CM - Smart card disabled but user can still login RRS feed

  • Question

  • Hello, I have a Gemalto smart card, that according to the MIM CM portal, is disabled and the certificate revoked (see screen print).  However, we are still able to logon to numerous network attached Windows 7 workstations with the card.  This is obviously not the expected behavior since the card is disabled and the certificate revoked. 

    Is there some type of pause between when MIM disables the card vs. when the CA (AD CS) sees that the cert is revoked.  If there is a pause, how can we reduce this time to make it immediate?  The bottom line is that we want to disable the card and immediately prevent the user from being able to logon with it.  


    Friday, November 11, 2016 5:16 PM

All replies

  • FIM_Admin I would check the status of the certificate at the CA, Also check if your CRL was updated with the revoked status of the cert. Once CM revokes it on the CA it is up to the CA to publish the revocation for computers/domain controllers.

    • Proposed as answer by Natty976 Monday, November 14, 2016 11:44 AM
    Saturday, November 12, 2016 5:55 PM
    Moderator
  • Depending on the CA configuration for CRL and delta CRL issuance it might be that the cert on the card will still be valid for some time. Also, there might be applications which are configured not to check CRL's which would be security black hole but I have stumped on them...

    In a nutshell, if you checked authentication immediately after disabling the card it is not odd that smart card still works...

    Monday, November 14, 2016 11:48 AM
  • Thanks to both of you for your answers.  I will take a look at the CLR settings.

    Monday, November 14, 2016 1:58 PM