Can OCSP Responder Cacheing be "Avoided"?

-

hello,
i've deployed online responder service in hope of getting fresher responses failing; environment 2008 ad, r2 enterprise subordinate cas , r2 online responders.

background: have 3 day crl + 3 day overlap (i want give me breathing space in case of ca failure).  on top of this, publish fresh crl every time certificate revoked.  i have set online responder retrieve crls every thirty minutes such "latest crls" used responder generating responses. 

however, aware online responder caches crls authoritative period , therefore won't bother using newer crl.  i can understand many circumstances totally sensible behaviour (performance, etc.) - situation i'd "force" responder use new crl.  this way i'd have "long crl" stop me having headache of ca failures, whilst having recent revocation status pushed out responder.

can give me advice on whether want achieve possible?  i've used tumbleweed validation authority in past , kind of thing not problem configure hoping can similar windows.

thanks, brian

because ocsp responder uses crls determine ocsp response, crl caching cannot turned off
i know many customers have made feature request, now, think of ocsp responses ms responder mini-crls
you need rething 3 day crl 3 day overlap design , come better method deal ca failure , crl publication
brian


Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering ...
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema ...
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authenticati...
Read more