Re: Automatic enrollment of user certificates

From: Brian Komar (bkomar_at_komarconsulting.com.nospam)
Date: 01/06/04 

Date: Tue, 6 Jan 2004 11:00:46 -0600

In article <09b001c3d467$9e555ba0$a501280a@phx.gbl>,
anonymous@discussions.microsoft.com says...
> Hello + A Gu'id Ne'er to You!
>
> I have setup an Enterprise Root CA on Windows 2003 in a
> Windows 2000 AD.
>
> I am using the certficates in conjunction with RADIUS
> (IAS) on a Win2003 machine to provide 802.1x auth for
> ethernet clients via an HP ProCurve switch as a trial.
> (The plan is to deploy wifi later) The clients are XP XP1.
>
> My question is... it is possible to automatically enroll
> user certificates on a client machine. Obviously it is
> possible to do this for computer certs via a GPO. However
> if the connection breaks (as will happen with wifi) the
> reconnection demands a user cert not a computer cert - and
> it is not ideal to have to install certs on client
> machines manually.
>
> TIA
>
> Jem
>
Hi Jem,

Yes it is possible. There are a few requirements:
1) You apply the Windows Server 2003 schema extensions (you should have
done this to install the enterprise CA).

2) You create a version 2 certificate template that enables
autoenrollment for a group that the user is a member of that allows
Client authentication (duplicate the user signing only version 1
template).

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/co
nfeat/ws03crtm.asp

3) You need to enable autoenrollment in Group Policy. This must be done
from a 2k3 server or from a xp computer with the 2k3 adminpak installed.
Details are in the following whitepaper. Ensure that the GPO is defined
at the OU where the *user* accounts are defined, not the computer
accounts.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/plan/auto
enro.asp

The combination will allow autoenrollment to any XP computers that are
domain members. This does not work for 2k computers, only 2k3 computers.

Brian

Relevant Pages

  • Re: Automatic enrollment of user certificates
    ... I know this can be done in a Windows 2003 AD domain but not in W2K. ... your options are to request/install from mmc certificate snapin for the user ... > user certificates on a client machine. ... > possible to do this for computer certs via a GPO. ...
    (microsoft.public.win2000.security)
  • RE: Printing from Win9x clients stops
    ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • RE: Fax service on W2003Sbs - client dont send fax
    ... follow the steps to Update the Windows Small Business Server ClientApps ... Please paste the full content of the file to the Newsgroup. ... Microsoft CSS Online Newsgroup Support ... >the same day I do a system restore to monday;-) and client can send fax. ...
    (microsoft.public.windows.server.sbs)
  • RE: Windows 9X clients?
    ... Windows Server 2003 domain. ... Please install Directory Services Client on these Windows 98 systems. ...
    (microsoft.public.windows.server.migration)
  • Re: Changes in 2005.
    ... The client base I currently have makes transitioning to new technologies ... out over the UK which is Windows 2000 with SP4. ... > VS.NET 2003 does not compile to unmanaged code. ... > the JIT compiler handles the compilation to unmanaged code from IL. ...
    (microsoft.public.dotnet.languages.csharp)