Offline Smart Card Logon

Discussion in 'Server Security' started by MC, Oct 20, 2004.

  1. MC

    MC Guest


    It's possible to logon to windows xp via smart cards even there's no network
    connection (offline due to cached credentials).

    How does windows check if the smart card user certificate is valid when it's
    not possible to access a valid CRL ?

    Does a windows xp client cache the last known valid CRL ?

    Is it still possible to logon offline via smart cards when the CRL has
    expired ?

    Is there any procedure how to deal with notebook users, who often work
    offline for a long time (maybe serveral weeks) ?

    MC, Oct 20, 2004
    1. Advertisements

  2. MC

    Miha Pihler Guest



    For successful smart card logon, a valid CRL (certificate revocation list)
    must be available. You can add (you should add) a CDP (CRL Distribution
    Point) that is publicly available for the clients that travel for longer
    periods of time (also your business partners (or their e-mail client) might
    want to check validity of issued certificate if you will exchange signed
    e-mails). You can have your CDP at e.g. where is your domain name and is address accessible from
    the internet. Once your CA issues new CRL (it depends on your configuration)
    or CRL is issued manually, you can copy (or automate transfer or) files to
    the URL that you defined as CDP.

    You can't add or edit CDP list on certificates that are already issued (if
    you do, certificate signature comes invalid). You have to add your
    additional CDP on your CA first. Once you made these change on CA, you have
    to issue new certificates to users and these new certificates will include
    new CDP.

    Clients do cache the CRL and will use it as long as it is CRL is valid.

    Troubleshooting Certificate Status and Revocation

    Miha Pihler, Oct 20, 2004
    1. Advertisements

  3. MC

    MC Guest


    So it seems that there's a problem using smart card logon by mobile users
    who work often offline for longer time.
    Of course I can set an external accessible URL in the CDP. My problem is,
    that those mobile clients are NOT connected to any network.

    So smart card logon would only work as long the notebooks have a vaild, not
    expired CRL in their cache. If the CRL has expired, smart card logon would
    fail, right ?

    Another problem is, that I can define the CRL expiration overlap time to
    only 12 hours. So, the mobile clients MUST go online BEFORE the CRL is going
    to expire and AFTER a new CRL will be published by the CA.
    Since I can only define a 12 hour window, the clients have only 12 hours
    time to logon and download a valid "new" CRL. Is that true ?

    MC, Oct 21, 2004
  4. Sorry Miha, but this time I have to correct you :)

    smartcard logon, when performed offline, DOES NOT perform a revocation check
    with a CRL. It uses the cached credential verifier and it will work
    indefinately, unless the enterprise has a policy to delete or expire the
    cached logons.
    David Cross [MS], Oct 21, 2004
  5. MC

    MC Guest

    thanks for that important information.

    I couldn't find a statement that there's no revocation checking procedure
    when working offline in any MS document...

    MC, Oct 21, 2004
  6. MC

    Miha Pihler Guest

    Hi David,

    Thank you for the correction... I am also learning new things every day :)


    Miha Pihler, Oct 21, 2004
  7. MC

    PK Guest

    My testing also confirms what David says.

    However, I noticed the other day that if you configure smartcard removal
    behaviour to lock the screen, then the client machine (xp) seems to need
    contact the domain controller. A gotcha, for me at least...
    Or could xp offline be configured to even recover from smartcard removal and


    PK, Oct 21, 2004
  8. MC

    MC Guest

    Did you boot your xp workstation offline, or did you disconnect it from
    network after logon ?

    if the xp workstation is running for longer time with a logged on user, the
    kerberos ticket is going to expire after 10 hours by default I think. After
    that time period the kerberos ticket must be renewed. To perform the
    kerberos ticket renewal, the private key on the smart card is needed. So
    user input would be required.
    If the workstation is bootet offline, the user gets no "new" kerberos
    ticket, so there should be no need to contact a DC, because cashed
    credentials are used.


    MC, Oct 21, 2004
  9. It may not be documented, but I do know this information authoritatively.


    David B. Cross [MS]

    This posting is provided "AS IS" with no warranties, and confers no rights.

    David Cross [MS], Oct 22, 2004
  10. MC

    PK Guest


    I will will check that out and get back. It will be in about a week


    PK, Oct 25, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.