Re: client user certificates
- From: briandel@xxxxxxxxxxxxxxxxxxxx (Brian Delaney [MSFT])
- Date: Thu, 15 Mar 2007 03:42:05 GMT
Hi,
The best way to deploy certificates automatically to a user certificate
store is using autoenrollment. Autoenrollment is available for clients
running Windows XP or Windows Vista when using a WIndows Server 2003
Enterprise Edition Enterprise CA (root or subordinate). It is possible to
automatically deploy certificates to users via a script but it is more
complex and difficult to manage. It also does not easily facilitate
renewal of the certificates; whereas autoenrollment will automatically
renew the certificates as the approach expiration.
When using Windows Server 2003 Enterprise edition you can customize your
certificate by using certificate templates. You can create templates for
any purpose, from EFS, to Client Authentication, to custom purposes.
Have a look at this technet article for more info on autoenrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/autoenro.mspx
Hope this helps,
Brian Delaney
Microsoft Canada
--
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Herb Martin" <news@xxxxxxxxxxxxxx><uBfWRZcZHHA.1296@xxxxxxxxxxxxxxxxxxxx>
References: <#ne878bZHHA.2432@xxxxxxxxxxxxxxxxxxxx>
<ugSHvKqZHHA.1388@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: client user certificatesRoot
Date: Wed, 14 Mar 2007 21:45:15 -0500
<param@xxxxxxxxxxxxxxxx> wrote in message
news:ugSHvKqZHHA.1388@xxxxxxxxxxxxxxxxxxxxxxx
What about User Certs?
EFS and S/MIME are certificates for users; they aren't general purpose
however.
1) EFS
2) Email (S/MIME)
3) IPSec (for computers)
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:uBfWRZcZHHA.1296@xxxxxxxxxxxxxxxxxxxxxxx
<param@xxxxxxxxxxxxxxxx> wrote in message
news:%23ne878bZHHA.2432@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,
We have a Windows Server 2003 domain environment with a Enterprise
CA installed. Clients are Windows XP Pro. Some of our apps use client
certificates for user identification and today the users go to the
certificate enrollment website that is installed on the CA server to
retrieve their client certs.
Is there a way via Group Policy or some other mechanism for the the CA
to automatically issue a domain user a client cert when they login to
their workstation for the first time? I guess, this would also need to
apply when certificates come up for renewal.
It would be awesome if this can be done.
(Enterprise) Win2003 Cert Services can automatically issue three kinds
of Certs:
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Prev by Date: Re: login once per user
- Next by Date: Re: Inactive User Logins
- Previous by thread: RE: GC Logon failure
- Next by thread: Re: client user certificates
- Index(es):
Relevant Pages
|
