Re: Automatic enrollment of user certificates

anonymous_at_discussions.microsoft.com
Date: 01/06/04 

Date: Tue, 6 Jan 2004 09:31:52 -0800

Brian

Thanks for your extensive response - I will definitely
look into this.

Jem
>-----Original Message-----
>In article <09b001c3d467$9e555ba0$a501280a@phx.gbl>,
>anonymous@discussions.microsoft.com says...
>> Hello + A Gu'id Ne'er to You!
>>
>> I have setup an Enterprise Root CA on Windows 2003 in a
>> Windows 2000 AD.
>>
>> I am using the certficates in conjunction with RADIUS
>> (IAS) on a Win2003 machine to provide 802.1x auth for
>> ethernet clients via an HP ProCurve switch as a trial.
>> (The plan is to deploy wifi later) The clients are XP
XP1.
>>
>> My question is... it is possible to automatically
enroll
>> user certificates on a client machine. Obviously it is
>> possible to do this for computer certs via a GPO.
However
>> if the connection breaks (as will happen with wifi) the
>> reconnection demands a user cert not a computer cert -
and
>> it is not ideal to have to install certs on client
>> machines manually.
>>
>> TIA
>>
>> Jem
>>
>Hi Jem,
>
>Yes it is possible. There are a few requirements:
>1) You apply the Windows Server 2003 schema extensions
(you should have
>done this to install the enterprise CA).
>
>2) You create a version 2 certificate template that
enables
>autoenrollment for a group that the user is a member of
that allows
>Client authentication (duplicate the user signing only
version 1
>template).
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/deploy/co
>nfeat/ws03crtm.asp
>
>3) You need to enable autoenrollment in Group Policy.
This must be done
>from a 2k3 server or from a xp computer with the 2k3
adminpak installed.
>Details are in the following whitepaper. Ensure that the
GPO is defined
>at the OU where the *user* accounts are defined, not the
computer
>accounts.
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/plan/auto
>enro.asp
>
>The combination will allow autoenrollment to any XP
computers that are
>domain members. This does not work for 2k computers, only
2k3 computers.
>
>Brian
>.
>

Relevant Pages

  • RE: GPO not working after Migration
    ... I suggest you use Active Directory Users and Computers to try again. ... Open the GPO and enable the following polciy. ... | We just moved to Windows 2003 AD and we were trying to ... | implement GPO on the client machines. ...
    (microsoft.public.windows.server.migration)
  • Cannot log into windows xp pro, another time ...
    ... XP pro for some client computers. ... I get a very strange problem, many times: I update from Windows Update, ...
    (microsoft.public.windowsxp.general)
  • Re: Permission denied only when 2 computers are used
    ... situation as all the client are either Windows 2000 or better; ... both computers need WMI installed. ... >> When I run this script using 1 remote computer name, ...
    (microsoft.public.scripting.vbscript)
  • Client push installation and Windows Xp SP2
    ... installing Advanced client in all computers (with client push installation ... method) and I haven't problems in computer with windows xp sp1. ... is in the computers with windows xp sp2. ... In this machines the firewall is ...
    (microsoft.public.sms.setup)
  • Help with 070-217
    ... The network contains 25,000 computers. ... single Windows 2000 domain named research.contoso.com. ... Server computers that are configured as domain controllers. ...
    (microsoft.public.cert.exam.mcse)