Bonjour All, We have set up a 3rd party CA at our end and successfully performed the Smart card logon from hierarchical/sub CA. But When i revoke a certificate and publish the CRL the client can still do SC logon. I tried to check the status of my certificate via 3 commands : 1) certutil -urlfetch -verify certificate_name.cer This command shows that certificate is revoked. 2) certutil -url certificate_name.cer From CDP verification i get "Verified" But from AIA verification i get "Revoked" 3) certutil -scinfo The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 1 0: Gemplus USB Smart Card Reader 0 --- Reader: Gemplus USB Smart Card Reader 0 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE --- Status: The card is being shared by a process. --- Card: Oberthur Technologies AuthentIC v3 Device ======================================================= Analyzing card in reader: Gemplus USB Smart Card Reader 0 cbData: 39 ==> 40 --------------===========================-------------- ================ Certificate 0 ================ --- Reader: Gemplus USB Smart Card Reader 0 --- Card: Oberthur Technologies AuthentIC v3 Device Provider = Oberthur Card Systems Cryptographic Provider Key Container = {AAF0C3FA-5900-441c-8CCE-058B1C2C4D96} CryptGetUserKey: Key does not exist. 0x8009000d (-2146893811) No AT_SIGNATURE key for reader: Gemplus USB Smart Card Reader 0 Performing AT_KEYEXCHANGE public key matching test... Public key matching test succeeded Key Container = {AAF0C3FA-5900-441c-8CCE-058B1C2C4D96} Provider = Oberthur Card Systems Cryptographic Provider ProviderType = 1 Flags = 1 KeySpec = 1 Private key verifies Performing cert chain verification... CertGetCertificateChain(dwErrorStatus) = 0x4 Chain on smart card is invalid dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) ChainContext.dwRevocationFreshnessTime: 6 Days, 19 Hours, 20 Minutes, 27 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) SimpleChain.dwRevocationFreshnessTime: 6 Days, 19 Hours, 20 Minutes, 27 Seconds CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=4 Issuer: CN=Sales Department, O=ID Technologies Subject: CN=scott, OU=Certificate Users, DC=child, DC=pa Serial: 08248a7ff5a7576b46ff Template: SmartcardUser ae b1 2c 78 ba 07 9c 0c 4d 1c 91 09 89 b4 31 1c f3 a8 cb 1d Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) CRL 1535: Issuer: CN=Sales Department, O=ID Technologies 0c e4 bf a3 85 8d 20 cd 58 2b f8 bf a7 00 31 cf 45 16 ca d0 Issuance[0] = 1.2.3.4 Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon CertContext[0][1]: dwInfoStatus=101 dwErrorStatus=0 Issuer: CN=Finance Department, O=ID Technologies, C=SW Subject: CN=Sales Department, O=ID Technologies Serial: 01a36310ddf9f2939dff Template: SubCA b5 38 9a a8 fe 7a e7 08 da c8 42 7f 6f 1d 67 61 46 b4 5a 0a Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 1279: Issuer: CN=Finance Department, O=ID Technologies, C=SW 45 8a 6d fb fc 12 7b f3 45 bc c7 25 37 95 6f 0a 9a 1e cf d1 Issuance[0] = 1.2.3.4 Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[3] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon Application[4] = 1.3.6.1.5.5.7.3.9 Application[5] = 1.3.6.1.5.5.7.3.3 Code Signing Application[6] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System Application[7] = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate CertContext[0][2]: dwInfoStatus=101 dwErrorStatus=0 Issuer: CN=ID Technologies, OU=ID Technologies, O=ID Technologies, C=SW Subject: CN=Finance Department, O=ID Technologies, C=SW Serial: 07388370e717ca47f8ff Template: SubCA 2d ca 9f 84 c6 e0 42 dd ff d7 d5 00 73 a9 90 d5 e0 9d 16 ab Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 1791: Issuer: CN=ID Technologies, OU=ID Technologies, O=ID Technologies, C=SW a5 e1 c2 11 9f 7a 97 26 fd 21 51 03 20 8d b4 27 45 8e 97 08 Issuance[0] = 1.2.3.4 Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[3] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon Application[4] = 1.3.6.1.5.5.7.3.9 Application[5] = 1.3.6.1.5.5.7.3.3 Code Signing Application[6] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System Application[7] = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=ID Technologies, OU=ID Technologies, O=ID Technologies, C=SW Subject: CN=ID Technologies, OU=ID Technologies, O=ID Technologies, C=SW Serial: e4b1a4daca0a09e2 42 3d 5c 19 3d 44 57 06 89 c2 e9 80 7b aa e4 da 3b d5 16 f1 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: 05 9b e2 e9 59 42 9f e7 33 bd 08 6a 98 a2 d3 5f 07 c6 37 d5 Full chain: e0 ae 59 c1 3a 9f 90 07 97 60 52 05 8c 36 86 c0 16 d2 05 4e Issuer: CN=Sales Department, O=ID Technologies Subject: CN=scott, OU=Certificate Users, DC=child, DC=pa Serial: 08248a7ff5a7576b46ff Template: SmartcardUser ae b1 2c 78 ba 07 9c 0c 4d 1c 91 09 89 b4 31 1c f3 a8 cb 1d The certificate is revoked. 0x80092010 (-2146885616) ------------------------------------ Certificate is REVOKED Displayed AT_KEYEXCHANGE cert for reader: Gemplus USB Smart Card Reader 0 --------------===========================-------------- Done. CertUtil: -SCInfo command completed successfully. I have tried the command on both Windows Server 2003 & 2008 Kindly help where is the issue ? Best Regards Scott Thomas

On Tue, 4 Jan 2011 11:56:38 +0000, Scott Thomas 007 wrote: We have set up a 3rd party CA at our end and successfully performed the Smart card logon from hierarchical/sub CA. But When i revoke a certificate and publish the CRL the client can still do SC logon. I tried to check the status of my certificate via 2 commands : The authenticating domain controller is the relying party for the smart card logon certificate. This comes down to CRL caching. If the relying party has a time valid CRL or delta CRL cached locally it won't retrieve an updated CRL no matter how frequently you manually publish a new CRL. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Netnews is like yelling, "Anyone want to buy a used car?" in a crowded theater.

The authenticating domain controller is the relying party for the smart card logon certificate. This comes down to CRL caching. If the relying party has a time valid CRL or delta CRL cached locally it won't retrieve an updated CRL no matter how frequently you manually publish a new CRL. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Netnews is like yelling, "Anyone want to buy a used car?" in a crowded theater. Bonjour Paul, Thanks for the reply, kindly tell that how can i stop CRL caching ? Regards Scott

On Tue, 4 Jan 2011 14:09:51 +0000, Scott Thomas 007 wrote: Thanks for the reply, kindly tell that how can i stop CRL caching ? You can't. You either need to reduce the publication period for your CRLs, or look at implementing an OCSP solution. Or, rather than depending on the CRL to prevent the user from logging on, disable the AD account. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? CRT: A movie about a little alien who forgets his telephone number and must write home.

You can't. You either need to reduce the publication period for your CRLs, or look at implementing an OCSP solution. Or, rather than depending on the CRL to prevent the user from logging on, disable the AD account. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? CRT: A movie about a little alien who forgets his telephone number and must write home. Bonjour Paul, Fine, i also have an OCSP solution integrated with my CA, kindly guide me what Group policy changes will be required by me to use OCSP instead of CRL while certificate revocation ? Suppose Paul, if we succeed in using OCSP instead of CRL but i think windows server 2003 does not has OCSP functionality , then would my Windows Server 2003 clients work fine ? Regards Scott Thomas

On Tue, 4 Jan 2011 18:00:03 +0000, Scott Thomas 007 wrote: Fine, i also have an OCSP solution integrated with my CA, kindly guide me what Group policy changes will be required by me to use OCSP instead of CRL while certificate revocation ? This is going to be a configuration option on your CA which I'm not going to be able to help you with. You'll need to check the documentation/support for your CA. Suppose Paul, if we succeed in using OCSP instead of CRL but i think windows server 2003 does not has OCSP functionality , then would my Windows Server 2003 clients work fine ? Server 2003 cannot serve as an OCSP responder but it can function as an OCSP client. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Those who can't write, write help files.

Server 2003 cannot serve as an OCSP responder but it can function as an OCSP client. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Those who can't write, write help files. Bonjour Paul , Actually i am using Windows XP/2003 as clients for SC logon. My AD is on Windows Server 2008. If i do certutil -url file_name.crt on XP/2003 to check revocation status, it does not show OCSP option so i think it can not authenticate via OCSP protocol. But if i do the same on 2008 it shows OCSP check option. If i set OCSP as revocation check mechanism in the DC Group Policy, then will i be able to do SC logon via XP/2003 client or i should apply some service packs ? Regards Scott Thomas

Windows XP and Windows Server 2003 can only use OCSP through third party OCSP clients. There is no Microsoft OCSP client for Windows XP and Windows Server 2003. OCSP client functionality was only built in to Windows Vista/Windows Server 2008 and higher. That being said, the Microsoft OCSP server/client combination does not work in the manner that you desire. The OCSP response that are sent from the Microsoft Online Responder can be considered as mini-CRLs. The responses have a time-to-live equivalent to the CRL that the response is based on. If there is one day left in the validity period of the CRL, the OCSP response is valid for one day and is cached at the client validating the certificate for one day. This is based on the RFCs and cannot be changed. Remember though, the smart card logon is tied to a user account in AD. if the user account is disabled, the authenticating DC will see the disabled status and prevent the smart card logon from succeeding Brian

Windows XP and Windows Server 2003 can only use OCSP through third party OCSP clients. There is no Microsoft OCSP client for Windows XP and Windows Server 2003. OCSP client functionality was only built in to Windows Vista/Windows Server 2008 and higher. That being said, the Microsoft OCSP server/client combination does not work in the manner that you desire. The OCSP response that are sent from the Microsoft Online Responder can be considered as mini-CRLs. The responses have a time-to-live equivalent to the CRL that the response is based on. If there is one day left in the validity period of the CRL, the OCSP response is valid for one day and is cached at the client validating the certificate for one day. This is based on the RFCs and cannot be changed. Remember though, the smart card logon is tied to a user account in AD. if the user account is disabled, the authenticating DC will see the disabled status and prevent the smart card logon from succeeding Brian Currently in my PKI environment , CRL gets published each time a certificate is revoked. I had googled & got a command certutil -setreg chain\ChainCacheResyncFileTime @now that clears the AD server cached entries. Now i try SC logon with the revoked certificate and it shows that your certificate is revoked. I can schedule this command at night so that next day revoked users can not do SC logon.

Currently in my PKI environment , CRL gets published each time a certificate is revoked. I had googled & got a command certutil -setreg chain\ChainCacheResyncFileTime @now that clears the AD server cached entries. Now i try SC logon with the revoked certificate and it shows that your certificate is revoked. I can schedule this command at night so that next day revoked users can not do SC logon. Bonjour All, I can do CRL publishing at each night or after revocation process, then i flush the cache by the above quoted command at AD. Next when the 1st user gets logged in via SC then the cache is rebuilt again in a few seconds and the next logging users never feel any delay or performance issue in logon. Do you guys think does this solution may have any issue or bad effect on AD performance? Regards Scott Thomas