CRL Validity Extension

[claudio]

Hello,
In a Windows smartcard logon scenario, according to this KB paper
http://support.microsoft.com/kb/887578/en-us
in order to extend the validity period of a CRL in case of publishing
failure, it is necessary to edit the registry key

HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLValidityExtensionPeriod

This seems to work on the server side (w2003 SP2), but not on the client
side (XP SP3). The client is still trying to validate the DC Cert and
displays an error on the cert validation.

Can anybody confirm the Registry key edit on the client side. Do we require
any hotfix on the client ?

thanks,
kind regards,
Claudio

[Brian Komar (MVP)]

The registry key is available for Windows Vista clients.
I do not believe it is backported to Windows XP.
As an alternative, you can use certutil to re-sign the CRL (if you have
access to the CA's signing key.
You would use

certutil -sign CRLFILE.crl 3:0
This would resign for 3 days.

You must rename the updated CRL file to match the original name of the file
Then you must manually copy the CRL file to *all* CDP referenced locations.
Brian

"claudio" <cla...@discussions.microsoft.com> wrote in message
news:8778F839-B020-4A31...@microsoft.com...

[Stan]

On Aug 14, 8:18 am, claudio <clau...@discussions.microsoft.com> wrote:
> Hello,

> In a Windows smartcard logon scenario, according to this KB paperhttp://support.microsoft.com/kb/887578/en-us

> in order to extend the validity period of a CRL in case of publishing
> failure, it is necessary to edit the registry key
>

> HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLValidityExtensi­onPeriod

>
> This seems to work on the server side (w2003 SP2), but not on the client
> side (XP SP3). The client is still trying to validate the DC Cert and
> displays an error on the cert validation.
>
> Can anybody confirm the Registry key edit on the client side. Do we require
> any hotfix on the client ?
>
> thanks,
> kind regards,
> Claudio

I'm having the same issue and I've raised a support case with
Microsoft. I'm waiting for there response.

Darren

[Stan]

On Aug 14, 8:18 am, claudio <clau...@discussions.microsoft.com> wrote:

> Hello,
> In a Windows smartcard logon scenario, according to this KB paperhttp://support.microsoft.com/kb/887578/en-us

> in order to extend the validity period of a CRL in case of publishing
> failure, it is necessary to edit the registry key
>

> HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLValidityExtensi­onPeriod

>
> This seems to work on the server side (w2003 SP2), but not on the client
> side (XP SP3). The client is still trying to validate the DC Cert and
> displays an error on the cert validation.
>
> Can anybody confirm the Registry key edit on the client side. Do we require
> any hotfix on the client ?
>
> thanks,
> kind regards,
> Claudio

This is what I got back from Microsoft after a couple of weeks, I
haven't tried it yet but you can have a go:

On the Domain Controller computers.

A).

1. Start Registry editor.
2. Locate HKEY_Local_Machine\System\CurrentControlSet\Services\KDC
3. On the edit menu, click New, and then add the following registry
entry:

Value Name: CRLValidityExtensionPeriod
Value Type: DWORD
Value Data: Hours (Decimal)
Description: This DWORD value lets you to extend the CRL validity
period by a specified number of hours. When you set this value to a
non-zero value, the certificate status checking code for smart card
logons ignores any validity period errors as long as the CRL is not
expired by more than the number of specified hours. This extension of
the validity period only applies to CRLs that are used during the
evaluation of certificates used for smart card logon. For example,
this extension would apply to a certificate that is issued by a
certification authority (CA) that is populated in the NTAuth store and
to any certificates that are part of the trust chain used to verify
the NTAuth store certificate.

B).

1. Start Registry editor.
2. Locate HKEY_Local_Machine\System\CurrentControlSet\Services\KDC
3. On the edit menu, click New, and then add the following registry
entry:

Value Name: CRLTimeoutPeriod
Value Type: DWORD
Value Data: Seconds (Decimal)
Description: This DWORD value lets you to specify the CRL time-out
period to reduce false positives. The Key Distribution Center (KDC)
passes this value to the certificate policy checking code. By default,
the KDC specifies a time-out value of 90 seconds even if this registry
value is not set.

Client Computer Operating Systems.

XP

A)

1. Start Registry editor.
2. Locate HKEY_Local_Machine\System\CurrentControlSet\Services\LSA
\Kerberos
3. On the edit menu, click New, and then add the following registry
entry:

Value Name: CRLTimeoutPeriod
Value Type: DWORD
Value Data: Seconds (Decimal)
Description: This DWORD value lets you to specify the CRL time-out
period to reduce false positives. The Kerberos client passes this
value to the certificate policy checking code. By default, the
Kerberos client specifies a time-out value of 90 seconds even if this
registry value is not set.

B)

1. Start Registry editor.
2. Locate HKEY_Local_Machine\System\CurrentControlSet\Services\LSA
\Kerberos
3. On the edit menu, click New, and then add the following registry
entry:

Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
Description: After you set this DWORD value to 1, the Kerberos clients
(Smartcard logon client) will ignore revocation unknown errors that
are caused by expired CRL.

Basically the location for the registry setiings on the client were
incorrect in KB887578.

Regards

Darren

[Stan]

> Darren- Hide quoted text -
>
> - Show quoted text -

I have now tested the registry settings and all works okay.

[toil...@gmail.com]

Hi
Has KB887578 been updated according to Darren's description? I can't
see any difference now.
I still have problems on the client side.
Did you use Win XP? SP3? Does it work with SP2?

I have two possible CRL issues with third-party CAs:
- CRL of the smart card issuer (should be reachable and validated to
determine if client is allowed to logon)
- CRL of the domain controller issuer (should be reachable and
validated to determine if domain controller is trustworthy)
I use for both cases the same third-party CA. Therefore I run into
problems when the corresponding CRL is not available.

Do the registry settings apply for both CRL validation checks?

Did anybody find more documentation about the Kerberos Smartcard Login
and possible (hidden) registry settings?
I only found the basic overview in the "Secure Access Using Smart Card
Planning Guide":
http://www.microsoft.com/technet/security/guidance/networksecurity/securesmartcards/default.mspx

Thank you very much

Regards
Alex

[Chipeater]

You're right, the article's been updated (new date) but I think it's
still inaccurate; the client registry setting is wrong, it should be:

Location: HKLM\System\CurrentControlSet\Control\Lsa\Kerberos

Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1

As far as your question regarding whether the fix works for both the
"DC cert CRLs" and "user cert CRLs", I would have to say yes as the
the testing I did had just a single CA which was obviously issuing
both certs.

Hope this helps, Dave

[toil...@gmail.com]

Thank you Dave for your hint. It makes obviously more sense inside
that registry node.
It seems to be working now, even though at customer site we couldn't
actually reproduce the error.
Finally it was working once without registry keys on the client
machine. Maybe because the CRL is cached on the client?

The customer reported that he had to install SP3 and it seems to work
as well with the registry settings of KB887578.
I can't verify that at the moment.

I'll keep an eye on the issue there...

Alex