hello,several times I have encountered a weird behavior at my customers when they are logging on with a smart card (Microsoft Base Smart Card Crypt Provider, gemalto .net v2) from outside their network.Their computer DO NOT have access to their PRIVATE network - to the CDP nor AIA locations nor any of the DCs.But they have already logged on previously even with the same smartcard and its account (so the account should have been cached for s/c logon).The error when logging on with the smart card was "cannot verify CRL".The CRL may already be expired, but this I cannot confirm.Their computer HAVE network connection to the INTERNET, but not any of CDP nor AIA locations (on .local domain names as their domain has .local suffix).Their CDPs and AIAs contain http:/...local and LDAPThey CAN successfully log on from keyboard with a password (this proves the account is really cached at least for password logon).Without network connection (not even to the internet), the logon IS successful by using the smart card.According to this, I suspect, that the machine somehow thinks it is online (although it is not), that it should do normal online logon instead of the cached one and tries to verify CRL which is really not accessible from that machine at that time.So the question is - is the reason possible?Is it possible that the machine for some reason tries to validate CRL even if no DC is accessible?For example if the domain name is .local for example and the machine is only on the public internet?How to prevent the machine trying to check CRL when their DCs are not accessible?thank you very much.ondrej.

bonjour,Plusieurs fois j'ai rencontr un comportement bizarre mes clients quand ils sont ouvrir une session avec une carte puce (Microsoft Base Smart Card Crypte Provider, Gemalto. net v2) de l'extrieur de leur rseau.Leur ordinateur n'ont pas accs leur rseau priv - pour le CDP, ni AIA lieux, ni aucun des pays en dveloppement.Mais ils ont dj connect auparavant mme avec la mme carte puce et de son compte (si le compte doit avoir t mis en cache pour s / c de connexion).L'erreur lors de la connexion avec la carte puce a t "ne peut pas vrifier CRL".Le LCR mai-tre dj dpasse, mais ce que je ne peux pas confirmer.Leur rseau informatique disposent d'une connexion Internet, mais pas tout de CDP, ni AIA endroits (sur noms de domaine. Locales comme leur nom de domaine a fait. Suffixe local).Leur LDC et AIAS contiennent http:/...local et LDAPIls peuvent se connecter avec succs partir du clavier avec un mot de passe (ce qui prouve que le compte est rellement mis en cache au moins pour l'ouverture de session mot de passe).Sans connexion rseau (pas mme l'internet), la connexion est russie en utilisant la carte puce.Selon ce document, je le souponne, que la machine semble penser qu'il est en ligne (mme si elle l'est pas), qu'il devrait faire en ligne d'ouverture de session normale au lieu de la mise en cache un seul et tente de vrifier LCR qui n'est vraiment pas accessible partir de cette machine cette poque .Donc la question est - est la raison possible?Est-il possible que la machine pour une raison quelconque essaie de valider LCR, mme si aucun contrleur de domaine est-il accessible?Par exemple si le nom de domaine est. Local par exemple et la machine n'est que sur l'Internet public?Comment faire pour viter que la machine tente de vrifier la LCR lors de leur DEC ne sont pas accessibles?merci beaucoup.Ondrej.

Hi, Thanks for your post. As far as I know, for local smart card logon with cached credentials, there is no Certificate Revocation List (CRL) check. The CRL is only checked with there is a Domain Controller (DC) certificate and in the cached logon case there is no DC involved and therefore no CRL check. As a result, the certificate on the smart card should be accepted for local logon even if the CRL has expired because no CRL check is performed. The Smart Card Cryptographic Service Provider Cookbook http://msdn.microsoft.com/en-us/library/ms953432.aspx Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

thank you,exactly my understanding. But the workstation says "cannot verify CRL". this means probably, that it for some reason thinks it is ONLINE, while the DCs are actually not accessible. what could be the reason? the computers have internet access at the time of logon (wifi or even wired), but not at all to the corporate network. is there any scenario under such conditions in which the workstation could (even temporarily) think the logon should not come from cache?ondrej.

Hi, To better understand the issue, please help collect the Kerberos and CAPI2 log on the computer: 1. Enable Kerberos event logging:http://support.microsoft.com/kb/262177 2. Enable CAPI2 log. Please refer to the Enabling and Saving the CAPI2 Log section of the following article:http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx 3. Logon the computer with smart card to reproduce the issue. 4. After the issue occurs, unplug the network cable and logon the computer again with the smart card. 5. After that, please export the system and CAPI2 log and upload to the following space:https://sftasia.one.microsoft.com/choosetransfer.aspx?key=1bae3979-871d-4fb0-9405-f9e07f263c38Password: 9Lu7nFC7@ONote: Please also let me know the exact time when you perform the step 3 and 4. Meanwhile, please help check the network profile type in Network and Sharing Center when the computer has Internet access. Is it identified as connected to domain network? Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Hi ondrej, How are you? Just want to check if you have time to collect the information. If there is anything unclear, please feel free to let me know. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

thank you for the intereset. I appreciate it very much. I am currently wainting for the customer for the issue to reappear. Currently, there is only a better condition definition:- no network connection was available at the time of the problem, actually, as against what they said previously- the CRL and delteCRL vere both in their "should-refresh-from-the-source-but-still-not-expired" (after next-crl-publish)ondrej.

Hi, Thanks for your update. Do you mean that user cannot logon the system with smart card no matter network connect is available? Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

yes, exactly that observation came from the user. but I cannot confirm that before the weird behaviour reappears and they send me better logs.

still waiting for the CAPI2 logs. this issue happens recurently except the users are not able to send me the files. give me some time to catch up.

Hi, Thanks for your update. Please let me know when you get the log. By the way, does the issue always occur if users logon their computer with smart card? Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

yes, actually this way:- Windows 7- completelly offline (cable unplugged)- ipv6 disabled (don't know whether this has any effect, but it is a fact)- after restart only (but all attempts for several minutes)- smart card logon (already cached) only, password logon works well- baseCRL valid, deltaCRL expiredondrej.