Certificates, Autoenrollment, Credential Roaming and User's PersonalStore

B

BillL

Hi,

I have a user cert set up for autoenrollment. The cert is published
in AD and the "Do not automatically reenroll if a duplicate
certificate exists in Active Directory" checkbox is checked. The CA
is a Windows 2003 Enterprise CA. Credential Roaming is also set up in
the environemnt.

Autoenrollment and credential roaming seem to be working fine but I do
encounter an issue when a workstation is reimaged or the certs are
deleted from the user's personal store on a workstation. After one of
these occurences the user's personal store never gets a copy of the
user's existing certs on that workstation.

The only way to populate the store is to have them issued a new
certificate by deleting the user's certs from the CA and their AD
object. After this the autoenrollment process will populate the
personal store with a brand new user certificate.

I'd rather not generate a new cert each time. Is there a way to get
the existing certs automatically copied to the user's personal store
on a workstation?

Thanks for your help.
Bill
 
B

Brian Komar \(MVP\)

Re: Certificates, Autoenrollment, Credential Roaming and User's Personal Store

Some answers inline...

"BillL" <wlawn@yahoo.com> wrote in message
news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...
> Hi,
>
> I have a user cert set up for autoenrollment. The cert is published
> in AD and the "Do not automatically reenroll if a duplicate
> certificate exists in Active Directory" checkbox is checked. The CA
> is a Windows 2003 Enterprise CA. Credential Roaming is also set up in
> the environemnt.

If you are using certificate roaming there really is no need to enable the
"Do not automatically reenroll if a duplicate
certificate exists in Active Directory" .

What type of certs are you issuing? Signing? Encryption?
>
> Autoenrollment and credential roaming seem to be working fine but I do
> encounter an issue when a workstation is reimaged or the certs are
> deleted from the user's personal store on a workstation. After one of
> these occurences the user's personal store never gets a copy of the
> user's existing certs on that workstation.

Yes, this is due to the duplicate certificate in AD setting. If you manually
delete the certificate in the user's store, this is the expected and proper
behavior.
You have chosen to explicity delete the certificate from the store.

A re-image should not have this behavior. Much like logging on to a new
computer, the certificates will roam to the new profile on the new computer.
Same as logging onto a new computer. Verify that CRS is correctly
configured.

>
> The only way to populate the store is to have them issued a new
> certificate by deleting the user's certs from the CA and their AD
> object. After this the autoenrollment process will populate the
> personal store with a brand new user certificate.

You do not ahve to delete the certs from the AD. You would have to delete
them from the AD object though due to the certificate template setting.

>
> I'd rather not generate a new cert each time. Is there a way to get
> the existing certs automatically copied to the user's personal store
> on a workstation?

It should work if you re-image the computer. If the user or help desk is
telling the user to delete the certificate from the store, then you have
deleted the certificate and will have to re-enroll.

>
> Thanks for your help.
> Bill
 
B

BillL

Re: Certificates, Autoenrollment, Credential Roaming and User'sPersonal Store

On Apr 29, 11:26 am, "Brian Komar \(MVP\)"
<brian.komar.nos...@nospam.identit.ca> wrote:
> Some answers inline...
>
> "BillL" <wl...@yahoo.com> wrote in message
>
> news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...
>
> > Hi,
>
> > I have a user cert set up for autoenrollment.  The cert is published
> > in AD and the "Do not automatically reenroll if a duplicate
> > certificate exists in Active Directory" checkbox is checked.  The CA
> > is a Windows 2003 Enterprise CA.  Credential Roaming is also set up in
> > the environemnt.
>
> If you are using certificate roaming there really is no need to enable the
> "Do not automatically reenroll if a duplicate
> certificate exists in Active Directory" .
>
> What type of certs are you issuing? Signing? Encryption?
>
>
>
> > Autoenrollment and credential roaming seem to be working fine but I do
> > encounter an issue when a workstation is reimaged or the certs are
> > deleted from the user's personal store on a workstation.  After one of
> > these occurences the user's personal store never gets a copy of the
> > user's existing certs on that workstation.
>
> Yes, this is due to the duplicate certificate in AD setting. If you manually
> delete the certificate in the user's store, this is the expected and proper
> behavior.
> You have chosen to explicity delete the certificate from the store.
>
> A re-image should not have this behavior. Much like logging on to a new
> computer, the certificates will roam to the new profile on the new computer.
> Same as logging onto a new computer. Verify that CRS is correctly
> configured.
>
>
>
> > The only way to populate the store is to have them issued a new
> > certificate by deleting the user's certs from the CA and their AD
> > object.  After this the autoenrollment process will populate the
> > personal store with a brand new user certificate.
>
> You do not ahve to delete the certs from the AD. You would have to delete
> them from the AD object though due to the certificate template setting.
>
>
>
> > I'd rather not generate a new cert each time.  Is there a way to get
> > the existing certs automatically copied to the user's personal store
> > on a workstation?
>
> It should work if you re-image the computer. If the user or help desk is
> telling the user to delete the certificate from the store, then you have
> deleted the certificate and will have to re-enroll.
>
>
>
>
>
> > Thanks for your help.
> > Bill- Hide quoted text -
>
> - Show quoted text -

Hi Brian,

Thanks for your assistance.

I had checked the "Do not automatically reenroll if a duplicate
certificate exists in AD" check box because users were getting
multiple certs if I didn't have this checked. I was trying to
minimize the number of certs that were generated for each user.

The cert purpose is "Signature and Encryption". The Description of
Application Policies shows Encrypting File System, Secure Email and
Client Authentication. We are currently only using it for client
authentication.

When you say "verify that CRS is correctly configured" are you talking
about the group policy settings for enabling autoenrollment? If so I
do not have "Automatic Certificate Request Settings" configured. I do
have "Autoenrollment Settings" configured for users and computers at
the domain level. These are set to "Enroll Certifcates
automatically". I have both the "Renew expired certifcates, ..." and
"Update certificates that use templates" checked.

By the way your book has been a great help to me as well.

Thanks again.
 
B

Brian Komar \(MVP\)

Re: Certificates, Autoenrollment, Credential Roaming and User's Personal Store

I am talking about Credential Roaming Service
This is what you need to deploy
http://technet2.microsoft.com/WindowsServer/en/Library/673d5152-1bc8-49eb-bfd1-990b0a004baa1033.mspx
Brian

"BillL" <wlawn@yahoo.com> wrote in message
news:aa9cf8e9-f466-4e4f-a9fe-30742f4fab82@m73g2000hsh.googlegroups.com...
On Apr 29, 11:26 am, "Brian Komar \(MVP\)"
<brian.komar.nos...@nospam.identit.ca> wrote:
> Some answers inline...
>
> "BillL" <wl...@yahoo.com> wrote in message
>
> news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...
>
> > Hi,
>
> > I have a user cert set up for autoenrollment. The cert is published
> > in AD and the "Do not automatically reenroll if a duplicate
> > certificate exists in Active Directory" checkbox is checked. The CA
> > is a Windows 2003 Enterprise CA. Credential Roaming is also set up in
> > the environemnt.
>
> If you are using certificate roaming there really is no need to enable the
> "Do not automatically reenroll if a duplicate
> certificate exists in Active Directory" .
>
> What type of certs are you issuing? Signing? Encryption?
>
>
>
> > Autoenrollment and credential roaming seem to be working fine but I do
> > encounter an issue when a workstation is reimaged or the certs are
> > deleted from the user's personal store on a workstation. After one of
> > these occurences the user's personal store never gets a copy of the
> > user's existing certs on that workstation.
>
> Yes, this is due to the duplicate certificate in AD setting. If you
> manually
> delete the certificate in the user's store, this is the expected and
> proper
> behavior.
> You have chosen to explicity delete the certificate from the store.
>
> A re-image should not have this behavior. Much like logging on to a new
> computer, the certificates will roam to the new profile on the new
> computer.
> Same as logging onto a new computer. Verify that CRS is correctly
> configured.
>
>
>
> > The only way to populate the store is to have them issued a new
> > certificate by deleting the user's certs from the CA and their AD
> > object. After this the autoenrollment process will populate the
> > personal store with a brand new user certificate.
>
> You do not ahve to delete the certs from the AD. You would have to delete
> them from the AD object though due to the certificate template setting.
>
>
>
> > I'd rather not generate a new cert each time. Is there a way to get
> > the existing certs automatically copied to the user's personal store
> > on a workstation?
>
> It should work if you re-image the computer. If the user or help desk is
> telling the user to delete the certificate from the store, then you have
> deleted the certificate and will have to re-enroll.
>
>
>
>
>
> > Thanks for your help.
> > Bill- Hide quoted text -
>
> - Show quoted text -

Hi Brian,

Thanks for your assistance.

I had checked the "Do not automatically reenroll if a duplicate
certificate exists in AD" check box because users were getting
multiple certs if I didn't have this checked. I was trying to
minimize the number of certs that were generated for each user.

The cert purpose is "Signature and Encryption". The Description of
Application Policies shows Encrypting File System, Secure Email and
Client Authentication. We are currently only using it for client
authentication.

When you say "verify that CRS is correctly configured" are you talking
about the group policy settings for enabling autoenrollment? If so I
do not have "Automatic Certificate Request Settings" configured. I do
have "Autoenrollment Settings" configured for users and computers at
the domain level. These are set to "Enroll Certifcates
automatically". I have both the "Renew expired certifcates, ..." and
"Update certificates that use templates" checked.

By the way your book has been a great help to me as well.

Thanks again.
 
B

BillL

Re: Certificates, Autoenrollment, Credential Roaming and User'sPersonal Store

On Apr 30, 2:04 am, "Brian Komar \(MVP\)"
<brian.komar.nos...@nospam.identit.ca> wrote:
> I am talking about Credential Roaming Service
> This is what you need to deployhttp://technet2.microsoft.com/WindowsServer/en/Library/673d5152-1bc8-...
> Brian
>
> "BillL" <wl...@yahoo.com> wrote in message
>
> news:aa9cf8e9-f466-4e4f-a9fe-30742f4fab82@m73g2000hsh.googlegroups.com...
> On Apr 29, 11:26 am, "Brian Komar \(MVP\)"
>
>
>
>
>
> <brian.komar.nos...@nospam.identit.ca> wrote:
> > Some answers inline...
>
> > "BillL" <wl...@yahoo.com> wrote in message
>
> >news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...
>
> > > Hi,
>
> > > I have a user cert set up for autoenrollment. The cert is published
> > > in AD and the "Do not automatically reenroll if a duplicate
> > > certificate exists in Active Directory" checkbox is checked. The CA
> > > is a Windows 2003 Enterprise CA. Credential Roaming is also set up in
> > > the environemnt.
>
> > If you are using certificate roaming there really is no need to enable the
> > "Do not automatically reenroll if a duplicate
> > certificate exists in Active Directory" .
>
> > What type of certs are you issuing? Signing? Encryption?
>
> > > Autoenrollment and credential roaming seem to be working fine but I do
> > > encounter an issue when a workstation is reimaged or the certs are
> > > deleted from the user's personal store on a workstation. After one of
> > > these occurences the user's personal store never gets a copy of the
> > > user's existing certs on that workstation.
>
> > Yes, this is due to the duplicate certificate in AD setting. If you
> > manually
> > delete the certificate in the user's store, this is the expected and
> > proper
> > behavior.
> > You have chosen to explicity delete the certificate from the store.
>
> > A re-image should not have this behavior. Much like logging on to a new
> > computer, the certificates will roam to the new profile on the new
> > computer.
> > Same as logging onto a new computer. Verify that CRS is correctly
> > configured.
>
> > > The only way to populate the store is to have them issued a new
> > > certificate by deleting the user's certs from the CA and their AD
> > > object. After this the autoenrollment process will populate the
> > > personal store with a brand new user certificate.
>
> > You do not ahve to delete the certs from the AD. You would have to delete
> > them from the AD object though due to the certificate template setting.
>
> > > I'd rather not generate a new cert each time. Is there a way to get
> > > the existing certs automatically copied to the user's personal store
> > > on a workstation?
>
> > It should work if you re-image the computer. If the user or help desk is
> > telling the user to delete the certificate from the store, then you have
> > deleted the certificate and will have to re-enroll.
>
> > > Thanks for your help.
> > > Bill- Hide quoted text -
>
> > - Show quoted text -
>
> Hi Brian,
>
> Thanks for your assistance.
>
> I had checked the "Do not automatically reenroll if a duplicate
> certificate exists in AD" check box because users were getting
> multiple certs if I didn't have this checked.  I was trying to
> minimize the number of certs that were generated for each user.
>
> The cert purpose is "Signature and Encryption".  The Description of
> Application Policies shows Encrypting File System, Secure Email and
> Client Authentication.  We are currently only using it for client
> authentication.
>
> When you say "verify that CRS is correctly configured" are you talking
> about the group policy settings for enabling autoenrollment?  If so I
> do not have "Automatic Certificate Request Settings" configured.  I do
> have "Autoenrollment Settings" configured for users and computers at
> the domain level.  These are set to "Enroll Certifcates
> automatically".  I have both the "Renew expired certifcates, ..." and
> "Update certificates that use templates" checked.
>
> By the way your book has been a great help to me as well.
>
> Thanks again.- Hide quoted text -
>
> - Show quoted text -

I didn't make the reference of CRS to Credential Roaming Services.
Yes, I have implemented that and it seems to be working in most
cases. When we reimage a workstation, it is reimaged with the same
computer name. Could that affect whether the user certifcates are
copied down to the "new" workstation?

Thanks.
 
You must log in or register to reply here.

Similar threads

C
Single Sign on Certificates
Replies
0
Views
59
CMikePage
C
K
CAC certificates not recognized on personal computers
Replies
0
Views
86
Kat Klebba
K
B
  • Article
Releasing Windows 11 Builds 22621.2787 and 22631.2787 to the Release Preview Channel
Replies
0
Views
95
Brandon LeBlanc
B
P
  • Article
Unlock a new era of innovation with Windows Copilot Runtime and Copilot+ PCs
Replies
0
Views
86
Pavan Davuluri
P
M
  • Article
Microsoft Edge: Your AI-powered browser, innovating for businesses and developers
Replies
0
Views
190
Microsoft Edge Team
M
Back
Top Bottom