When the SHV receives a validation request for a particular platform for the first time, the CertStore plug-in requests a certificate from the SCS and caches it so that it will not have to contact the SCS on subsequent validation requests. If the connection with the SCS uses TLS (the URL starts with “https”), then the request for the certificate and the response may take several seconds. This will be longer than the default time (2 seconds) in which an SoH validation must complete. When the validation times out, the NPS reports that the SoH is non-compliant. This will result in the NAP system limiting the ability of the Intel AMT platform to access the network. On subsequent requests, the CertStore plug-in will use the cached certificate and complete the validation before a timeout occurs. If the time between authentication cycles for a platform is very short (on the order of 4-8 seconds), there may be several cycles where the NPS will report non-compliance.
When TLS is not used, this phenomenon still occurs, but less frequently.
When the SHV is stopped and restarted, the certificate cache is purged, so a validation timeout may occur when the CertStore plug-in re-acquires the certificate.
Copyright © 2006-2022, Intel Corporation. All rights reserved.