Post by p***@gmail.comThanks for your replay.
We restarted both domain controllers with the IAS, before we ran the
test.
The old CRL expired, and we believe it's not a cache issue, since the
expiration date was 2 days ago, and probably not a "CRL grace time"
problem.
We manipulated the date and hour in the whole domain, and the
workstation still established a connection.
We think that the RADIUS just ignores the new CRL.
We even published the CRL through the ldap (the CDP extention contains
http refference for the CRL location using ADSIedit), yet it didn't
help.
As for the link above, the command doesn't work. (It shows the error
written in the blog)
Do you know how long the IAS save it's own cache?
When we use 'cerutil -verify CompCertName', the result is 'Certificate
revoked'
The information below might be helpful in this circumstance.
*********************
NPS/IAS Certificate Revocation List (CRL) Checks
By default, the NPS server checks for certificate revocation for all the
certificates in the certificate chain sent by the client computer during
the EAP-TLS and PEAP-TLS authentication process. If certificate revocation
fails for any of the certificates in the chain, the connection attempt is
not authenticated and is denied.
Certificate revocation checking behavior for NPS can be modified with
registry settings.
Because certificate revocation checking can prevent client access due to
the unavailability or expiration of CRLs for each certificate in the
certificate chain, design your PKI for high availability of CRLs. For
example, configure multiple CRL distribution points for each CA in the
certificate hierarchy and configure publication schedules that ensure that
the most current CRL is always available.
Certificate revocation checking is only as accurate as the last published
CRL. For example, if a certificate is revoked, by default the new CRL
containing the newly revoked certificate is not automatically published.
CRLs are typically published based on a configurable schedule. This means
that the revoked certificate can still be used to authenticate because the
published CRL is not current; it does not contain the revoked certificate
and can therefore still be used to create wireless connections. To prevent
this from occurring, the network administrator must manually publish the
new CRL with the newly revoked certificate.
By default, the NPS server uses the CRL distribution points in the
certificates. However, it is also possible to store a local copy of the CRL
on the NPS server. In this case, the local CRL is used during certificate
revocation checking. If a new CRL is manually published to the Active
Directory, the local CRL on the NPS server is not updated. The local CRL is
updated when it expires. This can create a situation wherein a certificate
is revoked, the CRL is manually published, but the NPS server still allows
the connection because the local CRL has not yet been updated.
The certificate revocation check for a certificate can fail because of the
following issues.
The certificate has been revoked
The issuer of the certificate has explicitly revoked the certificate.
The certificate revocation list (CRL) for the certificate is not reachable
or available
CAs maintain CRLs and publish them to specific CRL distribution points. The
CRL distribution points are included in the CRL Distribution Points
property of the certificate. If the CRL distribution points cannot be
contacted to check for certificate revocation, then the certificate
revocation check fails.
Additionally, if there are no CRL distribution points in the certificate,
the NPS server cannot verify that the certificate has not been revoked and
the certificate revocation check fails.
The publisher of the CRL did not issue the certificate
Included in the CRL is the publishing CA. If the publishing CA of the CRL
does not match the issuing CA for the certificate for which certificate
revocation is being checked, then the certificate revocation check fails.
The CRL is not current
Each published CRL has a range of valid dates. If the CRL Next update date
has passed, the CRL is not valid and the certificate revocation check
fails. New CRLs should be published before the expiration date of the last
published CRL.
************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.