Re: Certificates, Autoenrollment, Credential Roaming and User's Personal Store
I am talking about Credential Roaming Service
This is what you need to deploy
http://technet2.microsoft.com/WindowsServe...004baa1033.mspx
Brian
"BillL" <wlawn@yahoo.com> wrote in message
news:aa9cf8e9-f466-4e4f-a9fe-30742f4fab82@m73g2000hsh.googlegroups.com...
On Apr 29, 11:26 am, "Brian Komar \(MVP\)"
<brian.komar.nos...@nospam.identit.ca> wrote:<span style="color:blue">
> Some answers inline...
>
> "BillL" <wl...@yahoo.com> wrote in message
>
> news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...
><span style="color:green">
> > Hi,</span>
><span style="color:green">
> > I have a user cert set up for autoenrollment. The cert is published
> > in AD and the "Do not automatically reenroll if a duplicate
> > certificate exists in Active Directory" checkbox is checked. The CA
> > is a Windows 2003 Enterprise CA. Credential Roaming is also set up in
> > the environemnt.</span>
>
> If you are using certificate roaming there really is no need to enable the
> "Do not automatically reenroll if a duplicate
> certificate exists in Active Directory" .
>
> What type of certs are you issuing? Signing? Encryption?
>
>
><span style="color:green">
> > Autoenrollment and credential roaming seem to be working fine but I do
> > encounter an issue when a workstation is reimaged or the certs are
> > deleted from the user's personal store on a workstation. After one of
> > these occurences the user's personal store never gets a copy of the
> > user's existing certs on that workstation.</span>
>
> Yes, this is due to the duplicate certificate in AD setting. If you
> manually
> delete the certificate in the user's store, this is the expected and
> proper
> behavior.
> You have chosen to explicity delete the certificate from the store.
>
> A re-image should not have this behavior. Much like logging on to a new
> computer, the certificates will roam to the new profile on the new
> computer.
> Same as logging onto a new computer. Verify that CRS is correctly
> configured.
>
>
><span style="color:green">
> > The only way to populate the store is to have them issued a new
> > certificate by deleting the user's certs from the CA and their AD
> > object. After this the autoenrollment process will populate the
> > personal store with a brand new user certificate.</span>
>
> You do not ahve to delete the certs from the AD. You would have to delete
> them from the AD object though due to the certificate template setting.
>
>
><span style="color:green">
> > I'd rather not generate a new cert each time. Is there a way to get
> > the existing certs automatically copied to the user's personal store
> > on a workstation?</span>
>
> It should work if you re-image the computer. If the user or help desk is
> telling the user to delete the certificate from the store, then you have
> deleted the certificate and will have to re-enroll.
>
>
>
>
><span style="color:green">
> > Thanks for your help.
> > Bill- Hide quoted text -</span>
>
> - Show quoted text -</span>
Hi Brian,
Thanks for your assistance.
I had checked the "Do not automatically reenroll if a duplicate
certificate exists in AD" check box because users were getting
multiple certs if I didn't have this checked. I was trying to
minimize the number of certs that were generated for each user.
The cert purpose is "Signature and Encryption". The Description of
Application Policies shows Encrypting File System, Secure Email and
Client Authentication. We are currently only using it for client
authentication.
When you say "verify that CRS is correctly configured" are you talking
about the group policy settings for enabling autoenrollment? If so I
do not have "Automatic Certificate Request Settings" configured. I do
have "Autoenrollment Settings" configured for users and computers at
the domain level. These are set to "Enroll Certifcates
automatically". I have both the "Renew expired certifcates, ..." and
"Update certificates that use templates" checked.
By the way your book has been a great help to me as well.
Thanks again.