Duplicate User Certificates

[BillL]

Hi,

I'm running a Windows Server 2003 Enterpise CA with an offline root.
I duplicated the AutoEnrolled User cert template to create
certificates for our Active Directory users. This seems to be working
fine but when I look at Issued Certificates in my CA I see that users
are being issued multiple certs even though the certs don't expire
until 1 year later. I don't understand why multiple certs would be
issued. Is this normal behavior?

Thanks.

 

[BillL]

On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
> Hi,
>
> I'm running a Windows Server 2003 Enterpise CA with an offline root.
> I duplicated the AutoEnrolled User cert template to create
> certificates for our Active Directory users. This seems to be working
> fine but when I look at Issued Certificates in my CA I see that users
> are being issued multiple certs even though the certs don't expire
> until 1 year later. I don't understand why multiple certs would be
> issued. Is this normal behavior?
>
> Thanks.

Based on the rmd and ccm certifcate attributes, it looks like the
certificates are being generated for each workstation that the user
logs onto. Since the certs are being stored in AD, is there a way to
force the use of a single cert per user?

 

[S. Pidgorny]

New certificates won't be issued if the user will receive own roaming
profile, incorporating certificates and "soft" private keys.

Active Directory generally don't store certificates, and certainly not for
the purpose of user authentication or certificate issuance tracking.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"BillL" <wlawn@yahoo.com> wrote in message
news:1184946950.269425.31950@q75g2000hsh.googlegroups.com...
> On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
>> Hi,
>>
>> I'm running a Windows Server 2003 Enterpise CA with an offline root.
>> I duplicated the AutoEnrolled User cert template to create
>> certificates for our Active Directory users. This seems to be working
>> fine but when I look at Issued Certificates in my CA I see that users
>> are being issued multiple certs even though the certs don't expire
>> until 1 year later. I don't understand why multiple certs would be
>> issued. Is this normal behavior?
>>
>> Thanks.
>
> Based on the rmd and ccm certifcate attributes, it looks like the
> certificates are being generated for each workstation that the user
> logs onto. Since the certs are being stored in AD, is there a way to
> force the use of a single cert per user?
>
>

 

[Brian Komar]

Further to Slav's answer, look at the Credential Roaming Service. Think of
it as roaming profiles for certificates and other security attributes. This
would prevent your re-enrollment, as the user would download the
certificates from AD at any new computer.

This is the one case where certificate information *is* stored in AD for the
purpose of roaming to client computers
For details, see Configuring and Troubleshooting Certificate Services
Client-Credential Roaming
at
http://www.microsoft.com/technet/se...edential-roaming/terminology-assumptions.mspx

Brian

"BillL" <wlawn@yahoo.com> wrote in message
news:1184946950.269425.31950@q75g2000hsh.googlegroups.com...
> On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
>> Hi,
>>
>> I'm running a Windows Server 2003 Enterpise CA with an offline root.
>> I duplicated the AutoEnrolled User cert template to create
>> certificates for our Active Directory users. This seems to be working
>> fine but when I look at Issued Certificates in my CA I see that users
>> are being issued multiple certs even though the certs don't expire
>> until 1 year later. I don't understand why multiple certs would be
>> issued. Is this normal behavior?
>>
>> Thanks.
>
> Based on the rmd and ccm certifcate attributes, it looks like the
> certificates are being generated for each workstation that the user
> logs onto. Since the certs are being stored in AD, is there a way to
> force the use of a single cert per user?
>
>

 

[BillL]

On Jul 26, 8:37 am, "Brian Komar" <brian.ko...@nospam.identit.ca>
wrote:
> Further to Slav's answer, look at the Credential Roaming Service. Think of
> it as roaming profiles for certificates and other security attributes. This
> would prevent your re-enrollment, as the user would download the
> certificates from AD at any new computer.
>
> This is the one case where certificate information *is* stored in AD for the
> purpose of roaming to client computers
> For details, see Configuring and Troubleshooting Certificate Services
> Client-Credential Roaming
> athttp://www.microsoft.com/technet/security/guidance/cryptographyetc/cl...
>
> Brian
>
> "BillL" <wl...@yahoo.com> wrote in message
>
> news:1184946950.269425.31950@q75g2000hsh.googlegroups.com...
>
>
>
> > On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
> >> Hi,
>
> >> I'm running a Windows Server 2003 Enterpise CA with an offline root.
> >> I duplicated the AutoEnrolled User cert template to create
> >> certificates for our Active Directory users. This seems to be working
> >> fine but when I look at Issued Certificates in my CA I see that users
> >> are being issued multiple certs even though the certs don't expire
> >> until 1 year later. I don't understand why multiple certs would be
> >> issued. Is this normal behavior?
>
> >> Thanks.
>
> > Based on the rmd and ccm certifcate attributes, it looks like the
> > certificates are being generated for each workstation that the user
> > logs onto. Since the certs are being stored in AD, is there a way to
> > force the use of a single cert per user?- Hide quoted text -
>
> - Show quoted text -

I've implemented Client-Credential Roaming. When I open the
Certificates mmc on a workstation for a user shouldn't all the certs
under the Active Directory User Object - Certificates also be listed
under Personal - Certificates? It seems like I am still getting a
cert for each workstation that I log onto and this is shown under the
Personal - Certificates. From what I've read I expected that the AD
store and the personal store would synch up.

Thanks for your help.