|
Posted by Miha Pihler [MVP] on April 25, 2006, 3:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Frank,
CRLs are cached on the server and clients and as long as that CRL is valid
(not expired) there is no supported way to force the client/server to check
for new (updated) CRL.
If you need to revoke users access permission immediately, you have to
either disable user's account or remove the account from the group that
allows him/her access to the website.
--
Mike
Microsoft MVP - Windows Security
>I setup a Windows 2k3 Certificate Authority (CA) server and it's working
>just
> as planned. I forced our IIS website (Win 2k) to only allow users who have
> a
> Certificate from my Win2k3 CA server. Now I set the CRL Publication
> interval
> to 1 hr on the Win2k3 CA server.
>
> When I revoke a user (certificate) it takes the full 1 hr before the user
> can no longer access the site. Is there anyway to force the IIS server to
> check the CA everytime someone tries to access the site? I figured (on the
> Win2k3 CA server) if you right click Revoked Cerfiticates -> All Tasks ->
> Publish, this would let the IIS server know that the CRL has changed, and
> here is a list of all the revoked certs. Am I missing something? Thanks
> for
> all your help.
>
> -Frank
| 
XML site map