I am familiar with CRL DP...but many products have a way
to have some "control" on caching this so that CRL
retrieval does not become a authentication throttle due
CRL retrieval - especially if the CRL DP has not changed.
The information at URL
imply that IAS does indeed store a CRL (see the following).
"By default the IAS server uses the CRL distribution
points in the certificates. However, it is also possible
to store a local copy of the CRL on the IAS server. In
this case, the local CRL is used during certificate
revocation checking. If a new CRL is manually published to
the Active Directory, the local CRL on the IAS server is
not updated. The local CRL is updated when it expires.
This can create a situation wherein a certificate is
revoked, the CRL is manually published, but the IAS server
still allows the connection because the local CRL has not
yet been updated."
Which seems to imply both are possible.
that cert. IAS goes
confer no rights