Automatic enrollment of user certificates

Jockojem · Jan 6, 2004

Hello + A Gu'id Ne'er to You!

I have setup an Enterprise Root CA on Windows 2003 in a
Windows 2000 AD.

I am using the certficates in conjunction with RADIUS
(IAS) on a Win2003 machine to provide 802.1x auth for
ethernet clients via an HP ProCurve switch as a trial.
(The plan is to deploy wifi later) The clients are XP XP1.

My question is... it is possible to automatically enroll
user certificates on a client machine. Obviously it is
possible to do this for computer certs via a GPO. However
if the connection breaks (as will happen with wifi) the
reconnection demands a user cert not a computer cert - and
it is not ideal to have to install certs on client
machines manually.

TIA

Jem

Steven L Umbach · Jan 6, 2004

I know this can be done in a Windows 2003 AD domain but not in W2K. AFAIK
your options are to request/install from mmc certificate snapin for the user
or use Web Enrollment which really is pretty painless for user
ertificates. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp

Brian Komar · Jan 6, 2004

Hello + A Gu'id Ne'er to You!

I have setup an Enterprise Root CA on Windows 2003 in a
Windows 2000 AD.

I am using the certficates in conjunction with RADIUS
(IAS) on a Win2003 machine to provide 802.1x auth for
ethernet clients via an HP ProCurve switch as a trial.
(The plan is to deploy wifi later) The clients are XP XP1.

My question is... it is possible to automatically enroll
user certificates on a client machine. Obviously it is
possible to do this for computer certs via a GPO. However
if the connection breaks (as will happen with wifi) the
reconnection demands a user cert not a computer cert - and
it is not ideal to have to install certs on client
machines manually.

TIA

Jem

Hi Jem,

Yes it is possible. There are a few requirements:
1) You apply the Windows Server 2003 schema extensions (you should have
done this to install the enterprise CA).

2) You create a version 2 certificate template that enables
autoenrollment for a group that the user is a member of that allows
Client authentication (duplicate the user signing only version 1
template).

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/co
nfeat/ws03crtm.asp

3) You need to enable autoenrollment in Group Policy. This must be done
from a 2k3 server or from a xp computer with the 2k3 adminpak installed.
Details are in the following whitepaper. Ensure that the GPO is defined
at the OU where the *user* accounts are defined, not the computer
accounts.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/plan/auto
enro.asp

The combination will allow autoenrollment to any XP computers that are
domain members. This does not work for 2k computers, only 2k3 computers.

Brian

Guest · Jan 6, 2004

Brian

Thanks for your extensive response - I will definitely
look into this.

Jem

Computer Certificates	1	Oct 20, 2006
VPN Logons - Certificates	1	Sep 13, 2006
Diff Encryption Certificates used by diff users in same AD domain.	6	Jul 8, 2008
802.1x Certificates	1	Jan 19, 2006
Automatic distribution of User Certificates	2	Dec 5, 2003
802.1x	1	Jan 19, 2006
Vista clients and EAP-TLS authentication - problem with certificates	5	Sep 18, 2007
EAP/TLS and "Windows was unable to find a certificate. . ."	4	Apr 27, 2004

Automatic enrollment of user certificates

Jockojem

Steven L Umbach

Brian Komar

Guest

Ask a Question

Similar Threads