Jump to content

Certificates, Autoenrollment, Credential Roaming and User's PersonalStore

Guest BillL

By Guest BillL
in Techno Babble

 Share

Recommended Posts

Guest BillL

Guest BillL

Posted
Posted

Hi,

 

I have a user cert set up for autoenrollment. The cert is published

in AD and the "Do not automatically reenroll if a duplicate

certificate exists in Active Directory" checkbox is checked. The CA

is a Windows 2003 Enterprise CA. Credential Roaming is also set up in

the environemnt.

 

Autoenrollment and credential roaming seem to be working fine but I do

encounter an issue when a workstation is reimaged or the certs are

deleted from the user's personal store on a workstation. After one of

these occurences the user's personal store never gets a copy of the

user's existing certs on that workstation.

 

The only way to populate the store is to have them issued a new

certificate by deleting the user's certs from the CA and their AD

object. After this the autoenrollment process will populate the

personal store with a brand new user certificate.

 

I'd rather not generate a new cert each time. Is there a way to get

the existing certs automatically copied to the user's personal store

on a workstation?

 

Thanks for your help.

Bill

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Brian Komar \(MVP\)

Guest Brian Komar \(MVP\)

Posted
Posted

Re: Certificates, Autoenrollment, Credential Roaming and User's Personal Store

 

Some answers inline...

 

"BillL" <wlawn@yahoo.com> wrote in message

news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...<span style="color:blue">

> Hi,

>

> I have a user cert set up for autoenrollment. The cert is published

> in AD and the "Do not automatically reenroll if a duplicate

> certificate exists in Active Directory" checkbox is checked. The CA

> is a Windows 2003 Enterprise CA. Credential Roaming is also set up in

> the environemnt.</span>

 

If you are using certificate roaming there really is no need to enable the

"Do not automatically reenroll if a duplicate

certificate exists in Active Directory" .

 

What type of certs are you issuing? Signing? Encryption?<span style="color:blue">

>

> Autoenrollment and credential roaming seem to be working fine but I do

> encounter an issue when a workstation is reimaged or the certs are

> deleted from the user's personal store on a workstation. After one of

> these occurences the user's personal store never gets a copy of the

> user's existing certs on that workstation.</span>

 

Yes, this is due to the duplicate certificate in AD setting. If you manually

delete the certificate in the user's store, this is the expected and proper

behavior.

You have chosen to explicity delete the certificate from the store.

 

A re-image should not have this behavior. Much like logging on to a new

computer, the certificates will roam to the new profile on the new computer.

Same as logging onto a new computer. Verify that CRS is correctly

configured.

<span style="color:blue">

>

> The only way to populate the store is to have them issued a new

> certificate by deleting the user's certs from the CA and their AD

> object. After this the autoenrollment process will populate the

> personal store with a brand new user certificate.</span>

 

You do not ahve to delete the certs from the AD. You would have to delete

them from the AD object though due to the certificate template setting.

<span style="color:blue">

>

> I'd rather not generate a new cert each time. Is there a way to get

> the existing certs automatically copied to the user's personal store

> on a workstation?</span>

 

It should work if you re-image the computer. If the user or help desk is

telling the user to delete the certificate from the store, then you have

deleted the certificate and will have to re-enroll.

<span style="color:blue">

>

> Thanks for your help.

> Bill </span>

Guest BillL

Guest BillL

Posted
Posted

Re: Certificates, Autoenrollment, Credential Roaming and User'sPersonal Store

 

On Apr 29, 11:26 am, "Brian Komar \(MVP\)"

<brian.komar.nos...@nospam.identit.ca> wrote:<span style="color:blue">

> Some answers inline...

>

> "BillL" <wl...@yahoo.com> wrote in message

>

> news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...

><span style="color:green">

> > Hi,</span>

><span style="color:green">

> > I have a user cert set up for autoenrollment.  The cert is published

> > in AD and the "Do not automatically reenroll if a duplicate

> > certificate exists in Active Directory" checkbox is checked.  The CA

> > is a Windows 2003 Enterprise CA.  Credential Roaming is also set up in

> > the environemnt.</span>

>

> If you are using certificate roaming there really is no need to enable the

> "Do not automatically reenroll if a duplicate

> certificate exists in Active Directory" .

>

> What type of certs are you issuing? Signing? Encryption?

>

>

><span style="color:green">

> > Autoenrollment and credential roaming seem to be working fine but I do

> > encounter an issue when a workstation is reimaged or the certs are

> > deleted from the user's personal store on a workstation.  After one of

> > these occurences the user's personal store never gets a copy of the

> > user's existing certs on that workstation.</span>

>

> Yes, this is due to the duplicate certificate in AD setting. If you manually

> delete the certificate in the user's store, this is the expected and proper

> behavior.

> You have chosen to explicity delete the certificate from the store.

>

> A re-image should not have this behavior. Much like logging on to a new

> computer, the certificates will roam to the new profile on the new computer.

> Same as logging onto a new computer. Verify that CRS is correctly

> configured.

>

>

><span style="color:green">

> > The only way to populate the store is to have them issued a new

> > certificate by deleting the user's certs from the CA and their AD

> > object.  After this the autoenrollment process will populate the

> > personal store with a brand new user certificate.</span>

>

> You do not ahve to delete the certs from the AD. You would have to delete

> them from the AD object though due to the certificate template setting.

>

>

><span style="color:green">

> > I'd rather not generate a new cert each time.  Is there a way to get

> > the existing certs automatically copied to the user's personal store

> > on a workstation?</span>

>

> It should work if you re-image the computer. If the user or help desk is

> telling the user to delete the certificate from the store, then you have

> deleted the certificate and will have to re-enroll.

>

>

>

>

><span style="color:green">

> > Thanks for your help.

> > Bill- Hide quoted text -</span>

>

> - Show quoted text -</span>

 

Hi Brian,

 

Thanks for your assistance.

 

I had checked the "Do not automatically reenroll if a duplicate

certificate exists in AD" check box because users were getting

multiple certs if I didn't have this checked. I was trying to

minimize the number of certs that were generated for each user.

 

The cert purpose is "Signature and Encryption". The Description of

Application Policies shows Encrypting File System, Secure Email and

Client Authentication. We are currently only using it for client

authentication.

 

When you say "verify that CRS is correctly configured" are you talking

about the group policy settings for enabling autoenrollment? If so I

do not have "Automatic Certificate Request Settings" configured. I do

have "Autoenrollment Settings" configured for users and computers at

the domain level. These are set to "Enroll Certifcates

automatically". I have both the "Renew expired certifcates, ..." and

"Update certificates that use templates" checked.

 

By the way your book has been a great help to me as well.

 

Thanks again.

Guest Brian Komar \(MVP\)

Guest Brian Komar \(MVP\)

Posted
Posted

Re: Certificates, Autoenrollment, Credential Roaming and User's Personal Store

 

I am talking about Credential Roaming Service

This is what you need to deploy

http://technet2.microsoft.com/WindowsServe...004baa1033.mspx

Brian

 

"BillL" <wlawn@yahoo.com> wrote in message

news:aa9cf8e9-f466-4e4f-a9fe-30742f4fab82@m73g2000hsh.googlegroups.com...

On Apr 29, 11:26 am, "Brian Komar \(MVP\)"

<brian.komar.nos...@nospam.identit.ca> wrote:<span style="color:blue">

> Some answers inline...

>

> "BillL" <wl...@yahoo.com> wrote in message

>

> news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...

><span style="color:green">

> > Hi,</span>

><span style="color:green">

> > I have a user cert set up for autoenrollment. The cert is published

> > in AD and the "Do not automatically reenroll if a duplicate

> > certificate exists in Active Directory" checkbox is checked. The CA

> > is a Windows 2003 Enterprise CA. Credential Roaming is also set up in

> > the environemnt.</span>

>

> If you are using certificate roaming there really is no need to enable the

> "Do not automatically reenroll if a duplicate

> certificate exists in Active Directory" .

>

> What type of certs are you issuing? Signing? Encryption?

>

>

><span style="color:green">

> > Autoenrollment and credential roaming seem to be working fine but I do

> > encounter an issue when a workstation is reimaged or the certs are

> > deleted from the user's personal store on a workstation. After one of

> > these occurences the user's personal store never gets a copy of the

> > user's existing certs on that workstation.</span>

>

> Yes, this is due to the duplicate certificate in AD setting. If you

> manually

> delete the certificate in the user's store, this is the expected and

> proper

> behavior.

> You have chosen to explicity delete the certificate from the store.

>

> A re-image should not have this behavior. Much like logging on to a new

> computer, the certificates will roam to the new profile on the new

> computer.

> Same as logging onto a new computer. Verify that CRS is correctly

> configured.

>

>

><span style="color:green">

> > The only way to populate the store is to have them issued a new

> > certificate by deleting the user's certs from the CA and their AD

> > object. After this the autoenrollment process will populate the

> > personal store with a brand new user certificate.</span>

>

> You do not ahve to delete the certs from the AD. You would have to delete

> them from the AD object though due to the certificate template setting.

>

>

><span style="color:green">

> > I'd rather not generate a new cert each time. Is there a way to get

> > the existing certs automatically copied to the user's personal store

> > on a workstation?</span>

>

> It should work if you re-image the computer. If the user or help desk is

> telling the user to delete the certificate from the store, then you have

> deleted the certificate and will have to re-enroll.

>

>

>

>

><span style="color:green">

> > Thanks for your help.

> > Bill- Hide quoted text -</span>

>

> - Show quoted text -</span>

 

Hi Brian,

 

Thanks for your assistance.

 

I had checked the "Do not automatically reenroll if a duplicate

certificate exists in AD" check box because users were getting

multiple certs if I didn't have this checked. I was trying to

minimize the number of certs that were generated for each user.

 

The cert purpose is "Signature and Encryption". The Description of

Application Policies shows Encrypting File System, Secure Email and

Client Authentication. We are currently only using it for client

authentication.

 

When you say "verify that CRS is correctly configured" are you talking

about the group policy settings for enabling autoenrollment? If so I

do not have "Automatic Certificate Request Settings" configured. I do

have "Autoenrollment Settings" configured for users and computers at

the domain level. These are set to "Enroll Certifcates

automatically". I have both the "Renew expired certifcates, ..." and

"Update certificates that use templates" checked.

 

By the way your book has been a great help to me as well.

 

Thanks again.

Guest BillL

Guest BillL

Posted
Posted

Re: Certificates, Autoenrollment, Credential Roaming and User'sPersonal Store

 

On Apr 30, 2:04 am, "Brian Komar \(MVP\)"

<brian.komar.nos...@nospam.identit.ca> wrote:<span style="color:blue">

> I am talking about Credential Roaming Service

> This is what you need to deployhttp://technet2.microsoft.com/WindowsServer/en/Library/673d5152-1bc8-...

> Brian

>

> "BillL" <wl...@yahoo.com> wrote in message

>

> news:aa9cf8e9-f466-4e4f-a9fe-30742f4fab82@m73g2000hsh.googlegroups.com...

> On Apr 29, 11:26 am, "Brian Komar (MVP)"

>

>

>

>

>

> <brian.komar.nos...@nospam.identit.ca> wrote:<span style="color:green">

> > Some answers inline...</span>

><span style="color:green">

> > "BillL" <wl...@yahoo.com> wrote in message</span>

><span style="color:green">

> >news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...</span>

><span style="color:green"><span style="color:darkred">

> > > Hi,</span></span>

><span style="color:green"><span style="color:darkred">

> > > I have a user cert set up for autoenrollment. The cert is published

> > > in AD and the "Do not automatically reenroll if a duplicate

> > > certificate exists in Active Directory" checkbox is checked. The CA

> > > is a Windows 2003 Enterprise CA. Credential Roaming is also set up in

> > > the environemnt.</span></span>

><span style="color:green">

> > If you are using certificate roaming there really is no need to enable the

> > "Do not automatically reenroll if a duplicate

> > certificate exists in Active Directory" .</span>

><span style="color:green">

> > What type of certs are you issuing? Signing? Encryption?</span>

><span style="color:green"><span style="color:darkred">

> > > Autoenrollment and credential roaming seem to be working fine but I do

> > > encounter an issue when a workstation is reimaged or the certs are

> > > deleted from the user's personal store on a workstation. After one of

> > > these occurences the user's personal store never gets a copy of the

> > > user's existing certs on that workstation.</span></span>

><span style="color:green">

> > Yes, this is due to the duplicate certificate in AD setting. If you

> > manually

> > delete the certificate in the user's store, this is the expected and

> > proper

> > behavior.

> > You have chosen to explicity delete the certificate from the store.</span>

><span style="color:green">

> > A re-image should not have this behavior. Much like logging on to a new

> > computer, the certificates will roam to the new profile on the new

> > computer.

> > Same as logging onto a new computer. Verify that CRS is correctly

> > configured.</span>

><span style="color:green"><span style="color:darkred">

> > > The only way to populate the store is to have them issued a new

> > > certificate by deleting the user's certs from the CA and their AD

> > > object. After this the autoenrollment process will populate the

> > > personal store with a brand new user certificate.</span></span>

><span style="color:green">

> > You do not ahve to delete the certs from the AD. You would have to delete

> > them from the AD object though due to the certificate template setting.</span>

><span style="color:green"><span style="color:darkred">

> > > I'd rather not generate a new cert each time. Is there a way to get

> > > the existing certs automatically copied to the user's personal store

> > > on a workstation?</span></span>

><span style="color:green">

> > It should work if you re-image the computer. If the user or help desk is

> > telling the user to delete the certificate from the store, then you have

> > deleted the certificate and will have to re-enroll.</span>

><span style="color:green"><span style="color:darkred">

> > > Thanks for your help.

> > > Bill- Hide quoted text -</span></span>

><span style="color:green">

> > - Show quoted text -</span>

>

> Hi Brian,

>

> Thanks for your assistance.

>

> I had checked the "Do not automatically reenroll if a duplicate

> certificate exists in AD" check box because users were getting

> multiple certs if I didn't have this checked.  I was trying to

> minimize the number of certs that were generated for each user.

>

> The cert purpose is "Signature and Encryption".  The Description of

> Application Policies shows Encrypting File System, Secure Email and

> Client Authentication.  We are currently only using it for client

> authentication.

>

> When you say "verify that CRS is correctly configured" are you talking

> about the group policy settings for enabling autoenrollment?  If so I

> do not have "Automatic Certificate Request Settings" configured.  I do

> have "Autoenrollment Settings" configured for users and computers at

> the domain level.  These are set to "Enroll Certifcates

> automatically".  I have both the "Renew expired certifcates, ..." and

> "Update certificates that use templates" checked.

>

> By the way your book has been a great help to me as well.

>

> Thanks again.- Hide quoted text -

>

> - Show quoted text -</span>

 

I didn't make the reference of CRS to Credential Roaming Services.

Yes, I have implemented that and it seems to be working in most

cases. When we reimage a workstation, it is reimaged with the same

computer name. Could that affect whether the user certifcates are

copied down to the "new" workstation?

 

Thanks.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...