Teijo Hämäläinen
Teijo Hämäläinen 09.09.2020 15:11 (GMT+3) Certificate Chaining Engine — how it works

I have always been a fan of your articles, because they are easy to follow, technically accurate and contain real life examples. Today I learned about how CCE works. Thanks again Vadims!

criffo 09.09.2020 10:59 (GMT+3) Efficient way to get AD user membership recursively with PowerShell

very nice presentation and good DFS implementation

I encountered the need as well because of RBAC and external trusts.
I developped as well a powershell function but based on a BFS and set parameters to take into account the scope search forest, domain, domain trusts forest trusts or explicit domains. I used the.net classes so no need for the RSAT and activedirectory module. I shared the function on my github for anyone who might have some interest as well

Vadims Podāns
Vadims Podāns 09.09.2020 10:52 (GMT+3) Designing CRL Distribution Points and Authority Information Access locations

What you are experiencing is expected behavior. CA publishes files one by one and if URL is failing, next will be attempted only after first URL is completed (either, published or failed).

Actually, DFS is the correct solution since it was intended to perform this task -> abstract clients from actual storage. What is behing DFS is completely irrelevant for clients.

AndrePKI 09.09.2020 10:35 (GMT+3) Designing CRL Distribution Points and Authority Information Access locations

Hi Vadims, do you have any experience in delays which occur when (delta) CRLs are published to two file locations (e.g. \\server1\... and \\server2\..) and one location is not available?

We find that the CRL is created in time, but not written to any location (LDAP, file, not even c:\system32\certenroll) until the attempt to the one file location times out (10 minutes, seems hardcoded).

This is because we have 2 OCSP responders behind an NLB and we didn't want to have any scheduled task or so to copy one file around (timing issues). Now we found this behaviour when one server went offline.

So publishing to a highly available storage location (e.g. netapp filer cluster) with a DFS share seems the only solution (we don't want to bother with Windows Server cluster and cluster shared volumes). Or do you see any other way to overcome such single failure of a file:// CDP location?

Jimmy Lind
Jimmy Lind 06.09.2020 16:24 (GMT+3) How ThisUpdate, NextUpdate and NextCRLPublish are calculated (v2)

CRLOverlapPeriodUnits should be CRLOverlapUnits