When a user has their entitlements removed in Active Directory, a few steps need to take place before their certificates are revoked.
First, the Bridge needs to perform a synchronization to inform the service that the user’s entitlements have been removed.
This interval depends on the configured Bridge polling interval (30 seconds by default).
The synchronization process will immediately inform the certification authority, which will mark the certificate as being revoked.
When that user next attempts to login, the client (and domain controller if the client is connected to the LAN) will perform an OCSP check if the last check was done outside the ‘grace’ period (currently 5 minutes, to allow for clock desynchronization between local and service) .
So, with the default settings, it may take as much as 10 minutes from removing entitlements to actually blocking logon.
One other situation must be added here. If the OCSP service is unavailable (internet connectivity failure for example), then revocation checks will revert to the Certificate Revocation List published by the Bridge.
The CRL is currently refreshed with every Bridge synchronization, but the ‘grace’ period for CRL checks on client computers can be much longer – a week or more for off-premise logon.