Certification authority, how to prevent AD users from logging in with revoked certificates?

E

EvilLord2015-10-20 10:07:36

System administration

EvilLord, 2015-10-20 10:07:36

Good afternoon!
We deployed a certification center in the 2008 domain in order to transfer employees to smart card login. At the same time, we deployed an OCSP responder. During testing, it turned out that users are allowed into the domain even with revoked certificates. Review lists are published every hour, tried to publish manually. The revocation points are written in the certificate. Openssl returns a revoked status when checking an OCSP response.
Tell me where to dig?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Andrey San, 2015-10-20
@admusers

does the client receive a revoked certificate?

E

EvilLord, 2015-10-20
@EvilLord

The client is issued a certificate recorded on a smart card. He calmly authorizes. After we revoke the certificate in the certification authority. We publish a new review list.
Check if the certificate is in the revocation list.
The CA tells us that "This certificate has been revoked by the certification authority that issued it."
But the user quite calmly continues to log in using the revoked certificate.