ignore CRL during smart card logon (3rd party CA)
Posted on 2008-10-01
we're using smart cards (required) provided by a third party to logon to windows. Every now and then the CRL-retrieval fails which obviously is not good. Usually a new CRL is successfully retrieved prior to the old CRL expires but on two occasions it did not.
This meant that all users was locked out and only got a error message when they tried to logon to windows.
So, to minimize the impact if this should happen again I'd like to be able to ignore the expiration-date of a CRL.
if a CRL exists, check it
if it's old, ignore it and let the users in
Yes, I am aware that this is a security issue, but it is only during a very limited time that a potential hacker/disgruntled employee can use it.
Is it at all possible to ignore CRL-checking during windows logon?
Is it possible to have the granularity I want?