Identity with Windows Server 2016 — Question 44

Your network contains an Active Directory domain named contoso.com. Domain users use smart cards to sign in to their client computer.
Some users report that it takes a long time to sign in to their computer and that the logon attempt times out, so they must restart the sign in process. You discover that the issues to checking the certificate revocation list (CRL) of the smart card certificates.
You need to resolve the issue without diminishing the security of the smart card logons.
What should you do?

Answer options

• A. From the properties of the smart card's certificate template, modify the Request Handling settings.
• B. From the properties of the smart card's certificate template, modify the Issuance Requirements settings.
• C. Deactivate certificate revocation checks on the computers.
• D. Implement an Online Certification Status Protocol (OCSP) responder.

Correct answer: D

Explanation

The correct answer is D, as implementing an OCSP responder allows for real-time certificate status verification without relying solely on CRLs, reducing logon delays. Options A and B involve changes to the certificate template that may not directly address the revocation check issue. Option C would compromise security by bypassing necessary checks, which is not advisable.