Duplicate User Certificates

  • Thread starter Thread starter BillL
  • Start date Start date
B

BillL

Guest
Hi,

I'm running a Windows Server 2003 Enterpise CA with an offline root.
I duplicated the AutoEnrolled User cert template to create
certificates for our Active Directory users. This seems to be working
fine but when I look at Issued Certificates in my CA I see that users
are being issued multiple certs even though the certs don't expire
until 1 year later. I don't understand why multiple certs would be
issued. Is this normal behavior?

Thanks.
 
Re: Duplicate User Certificates

On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
> Hi,
>
> I'm running a Windows Server 2003 Enterpise CA with an offline root.
> I duplicated the AutoEnrolled User cert template to create
> certificates for our Active Directory users. This seems to be working
> fine but when I look at Issued Certificates in my CA I see that users
> are being issued multiple certs even though the certs don't expire
> until 1 year later. I don't understand why multiple certs would be
> issued. Is this normal behavior?
>
> Thanks.

Based on the rmd and ccm certifcate attributes, it looks like the
certificates are being generated for each workstation that the user
logs onto. Since the certs are being stored in AD, is there a way to
force the use of a single cert per user?
 
Re: Duplicate User Certificates

New certificates won't be issued if the user will receive own roaming
profile, incorporating certificates and "soft" private keys.

Active Directory generally don't store certificates, and certainly not for
the purpose of user authentication or certificate issuance tracking.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"BillL" <wlawn@yahoo.com> wrote in message
news:1184946950.269425.31950@q75g2000hsh.googlegroups.com...
> On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
>> Hi,
>>
>> I'm running a Windows Server 2003 Enterpise CA with an offline root.
>> I duplicated the AutoEnrolled User cert template to create
>> certificates for our Active Directory users. This seems to be working
>> fine but when I look at Issued Certificates in my CA I see that users
>> are being issued multiple certs even though the certs don't expire
>> until 1 year later. I don't understand why multiple certs would be
>> issued. Is this normal behavior?
>>
>> Thanks.
>
> Based on the rmd and ccm certifcate attributes, it looks like the
> certificates are being generated for each workstation that the user
> logs onto. Since the certs are being stored in AD, is there a way to
> force the use of a single cert per user?
>
>
 
Re: Duplicate User Certificates

Further to Slav's answer, look at the Credential Roaming Service. Think of
it as roaming profiles for certificates and other security attributes. This
would prevent your re-enrollment, as the user would download the
certificates from AD at any new computer.

This is the one case where certificate information *is* stored in AD for the
purpose of roaming to client computers
For details, see Configuring and Troubleshooting Certificate Services
Client-Credential Roaming
at
http://www.microsoft.com/technet/se...edential-roaming/terminology-assumptions.mspx

Brian

"BillL" <wlawn@yahoo.com> wrote in message
news:1184946950.269425.31950@q75g2000hsh.googlegroups.com...
> On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
>> Hi,
>>
>> I'm running a Windows Server 2003 Enterpise CA with an offline root.
>> I duplicated the AutoEnrolled User cert template to create
>> certificates for our Active Directory users. This seems to be working
>> fine but when I look at Issued Certificates in my CA I see that users
>> are being issued multiple certs even though the certs don't expire
>> until 1 year later. I don't understand why multiple certs would be
>> issued. Is this normal behavior?
>>
>> Thanks.
>
> Based on the rmd and ccm certifcate attributes, it looks like the
> certificates are being generated for each workstation that the user
> logs onto. Since the certs are being stored in AD, is there a way to
> force the use of a single cert per user?
>
>
 
Re: Duplicate User Certificates

On Jul 26, 8:37 am, "Brian Komar" <brian.ko...@nospam.identit.ca>
wrote:
> Further to Slav's answer, look at the Credential Roaming Service. Think of
> it as roaming profiles for certificates and other security attributes. This
> would prevent your re-enrollment, as the user would download the
> certificates from AD at any new computer.
>
> This is the one case where certificate information *is* stored in AD for the
> purpose of roaming to client computers
> For details, see Configuring and Troubleshooting Certificate Services
> Client-Credential Roaming
> athttp://www.microsoft.com/technet/security/guidance/cryptographyetc/cl...
>
> Brian
>
> "BillL" <wl...@yahoo.com> wrote in message
>
> news:1184946950.269425.31950@q75g2000hsh.googlegroups.com...
>
>
>
> > On Jul 20, 10:22 am, BillL <wl...@yahoo.com> wrote:
> >> Hi,
>
> >> I'm running a Windows Server 2003 Enterpise CA with an offline root.
> >> I duplicated the AutoEnrolled User cert template to create
> >> certificates for our Active Directory users. This seems to be working
> >> fine but when I look at Issued Certificates in my CA I see that users
> >> are being issued multiple certs even though the certs don't expire
> >> until 1 year later. I don't understand why multiple certs would be
> >> issued. Is this normal behavior?
>
> >> Thanks.
>
> > Based on the rmd and ccm certifcate attributes, it looks like the
> > certificates are being generated for each workstation that the user
> > logs onto. Since the certs are being stored in AD, is there a way to
> > force the use of a single cert per user?- Hide quoted text -
>
> - Show quoted text -

I've implemented Client-Credential Roaming. When I open the
Certificates mmc on a workstation for a user shouldn't all the certs
under the Active Directory User Object - Certificates also be listed
under Personal - Certificates? It seems like I am still getting a
cert for each workstation that I log onto and this is shown under the
Personal - Certificates. From what I've read I expected that the AD
store and the personal store would synch up.

Thanks for your help.
 

Similar threads

W
Windows 10 Win10 - trusted root certificates not updating
Replies
0
Views
131
wameniak
W
V
Checking the certificate trust chain for an HTTPS endpoint
Replies
0
Views
471
Viorel-Alexandru
V
D
How to find size of the Root Certificate Store
Replies
0
Views
101
DragonOsman2
D
I
ARR authenticating itself to backend with client certificate on re-routing requests
Replies
0
Views
392
IIS
I
D
How to find size of the Root Certificate Store
Replies
0
Views
81
DragonOsman2
D
Back
Top