BillL
Wed Apr 30 13:27:19 CDT 2008
On Apr 30, 2:04=A0am, "Brian Komar \(MVP\)"
<brian.komar.nos...@nospam.identit.ca> wrote:
> I am talking about Credential Roaming Service
> This is what you need to deploy
http://technet2.microsoft.com/WindowsServer=
/en/Library/673d5152-1bc8-...
> Brian
>
> "BillL" <wl...@yahoo.com> wrote in message
>
> news:aa9cf8e9-f466-4e4f-a9fe-30742f4fab82@m73g2000hsh.googlegroups.com...
> On Apr 29, 11:26 am, "Brian Komar \(MVP\)"
>
>
>
>
>
> <brian.komar.nos...@nospam.identit.ca> wrote:
> > Some answers inline...
>
> > "BillL" <wl...@yahoo.com> wrote in message
>
> >news:f23b89e9-1ab6-436e-9654-04a445d35fa0@k37g2000hsf.googlegroups.com...=
>
> > > Hi,
>
> > > I have a user cert set up for autoenrollment. The cert is published
> > > in AD and the "Do not automatically reenroll if a duplicate
> > > certificate exists in Active Directory" checkbox is checked. The CA
> > > is a Windows 2003 Enterprise CA. Credential Roaming is also set up in
> > > the environemnt.
>
> > If you are using certificate roaming there really is no need to enable t=
he
> > "Do not automatically reenroll if a duplicate
> > certificate exists in Active Directory" .
>
> > What type of certs are you issuing? Signing? Encryption?
>
> > > Autoenrollment and credential roaming seem to be working fine but I do=
> > > encounter an issue when a workstation is reimaged or the certs are
> > > deleted from the user's personal store on a workstation. After one of
> > > these occurences the user's personal store never gets a copy of the
> > > user's existing certs on that workstation.
>
> > Yes, this is due to the duplicate certificate in AD setting. If you
> > manually
> > delete the certificate in the user's store, this is the expected and
> > proper
> > behavior.
> > You have chosen to explicity delete the certificate from the store.
>
> > A re-image should not have this behavior. Much like logging on to a new
> > computer, the certificates will roam to the new profile on the new
> > computer.
> > Same as logging onto a new computer. Verify that CRS is correctly
> > configured.
>
> > > The only way to populate the store is to have them issued a new
> > > certificate by deleting the user's certs from the CA and their AD
> > > object. After this the autoenrollment process will populate the
> > > personal store with a brand new user certificate.
>
> > You do not ahve to delete the certs from the AD. You would have to delet=
e
> > them from the AD object though due to the certificate template setting.
>
> > > I'd rather not generate a new cert each time. Is there a way to get
> > > the existing certs automatically copied to the user's personal store
> > > on a workstation?
>
> > It should work if you re-image the computer. If the user or help desk is=
> > telling the user to delete the certificate from the store, then you have=
> > deleted the certificate and will have to re-enroll.
>
> > > Thanks for your help.
> > > Bill- Hide quoted text -
>
> > - Show quoted text -
>
> Hi Brian,
>
> Thanks for your assistance.
>
> I had checked the "Do not automatically reenroll if a duplicate
> certificate exists in AD" check box because users were getting
> multiple certs if I didn't have this checked. =A0I was trying to
> minimize the number of certs that were generated for each user.
>
> The cert purpose is "Signature and Encryption". =A0The Description of
> Application Policies shows Encrypting File System, Secure Email and
> Client Authentication. =A0We are currently only using it for client
> authentication.
>
> When you say "verify that CRS is correctly configured" are you talking
> about the group policy settings for enabling autoenrollment? =A0If so I
> do not have "Automatic Certificate Request Settings" configured. =A0I do
> have "Autoenrollment Settings" configured for users and computers at
> the domain level. =A0These are set to "Enroll Certifcates
> automatically". =A0I have both the "Renew expired certifcates, ..." and
> "Update certificates that use templates" checked.
>
> By the way your book has been a great help to me as well.
>
> Thanks again.- Hide quoted text -
>
> - Show quoted text -
I didn't make the reference of CRS to Credential Roaming Services.
Yes, I have implemented that and it seems to be working in most
cases. When we reimage a workstation, it is reimaged with the same
computer name. Could that affect whether the user certifcates are
copied down to the "new" workstation?
Thanks.