2003 Server and CRL's

Discussion in 'Windows Server' started by jwill, Mar 22, 2007.

  1. jwill

    jwill Guest

    Can someone tell me how to disable CRL checking on a 2003 server that does
    not have IIS installed ?

    I have several 2003 servers within a network that has no contact to the
    internet. SSL is used by these servers to exchange data with a specialized
    server. I have no problem with all non-2003 systems. I have found scant
    information beyond disabling CRL checking within IE ( which only partially
    works ) and modifying the "CertCheckMode Metabase Property" in IIS. These
    2003 servers do not have IIS installed. I can import a CRL, but it is only
    valid for a week.
     
    jwill, Mar 22, 2007
    #1
    1. Advertisements

  2. This content should be of assistance with this issue:

    IAS CRL check registry settings
    You can use the following registry settings to change how IAS performs
    certificate revolcation list (CRL) checks when the authentication method
    EAP-TLS is in use.

    Caution
    Incorrectly editing the registry can severely damage your system. Before
    making changes to the registry, you should back up any valued data on the
    computer.


    All of the listed registry settings are configurable on IAS servers with
    the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

    Important
    All of the following registry settings must be added as a DWORD type and
    have the valid values of 0 or 1.


    IgnoreNoRevocationCheck
    When set to 1, IAS allows EAP-TLS clients to connect even when IAS does not
    perform or cannot complete a revocation check of the certificate chain
    (excluding the root certificate) of the client. Typically, revocation
    checks fail because the certificate does not include CRL information.

    IgnoreNoRevocationCheck is set to 0 (disabled) by default. An EAP-TLS
    client cannot connect unless the server completes a revocation check of the
    certificate chain (including the root certificate) of the client and
    verifies that none of the certificates have been revoked.

    You can use this entry to authenticate clients when the certificate does
    not include CRL distribution points, such as might be the case with
    certificates issued by non-Microsoft CAs.

    IgnoreRevocationOffline
    When set to 1, IAS allows EAP-TLS clients to connect even when a server
    that stores a CRL is not available on the network.

    IgnoreRevocationOffline is set to 0 by default. With this default setting,
    IAS does not allow clients to connect unless it can complete a revocation
    check of their certificate chain and verify that none of the certificates
    are revoked. When IAS cannot connect to a server that stores a revocation
    list, the certificate fails the revocation check and authentication fails.

    Setting IgnoreRevocationOffline to 1 prevents certificate validation
    failure because poor network conditions prevented IAS from successfully
    completing a revocation check.

    NoRevocationCheck
    When set to 1, IAS prevents EAP-TLS from performing a revocation check of
    the certificate of the client. The revocation check verifies that the
    certificate of the client and the certificates in its certificate chain
    have not been revoked. NoRevocationCheck is set to 0 by default.

    NoRootRevocationCheck
    When set to 1, IAS prevents EAP-TLS from performing a revocation check of
    the root CA certificate of the client.

    NoRootRevocationCheck is set to 0 by default. This entry only eliminates
    the revocation check of the root CA certificate of the client. A revocation
    check is still performed on the remainder of the certificate chain of the
    client.

    You can use this entry to authenticate clients when the certificate does
    not include CRL distribution points, such as might be the case with
    certificates issued by non-Microsoft CAs. Also, this entry can prevent
    certification-related delays that occur when a certificate revocation list
    is offline or is expired.




    --
    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    James McIllece [MS], Apr 4, 2007
    #2
    1. Advertisements

  3. jwill

    yogesh garg

    Joined:
    Sep 15, 2017
    Messages:
    1
    Likes Received:
    0
    I have the same situation where windows server 2003 with no internet.
    I want to change the "default url retrieval timeout" and "default path validation cumulative timeout"
    These 2 options are available in win-2008 under group policy--> computer configutaion--> windows setting -->security setting--> public key policy -->certificate path validation setting --> property --> network tab

    please help
     
    yogesh garg, Sep 15, 2017
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.