CCNP Boot Camp UK 

How Autoenrollment Works

Updated: January 01, 2003
This section discusses how autoenrollment works, including autoenrollment and Winlogon, an analysis of the components of the autoenrollment process, and working with certification authority interfaces.

Key Points

Autoenrollment works best in a Windows Server 2003 Enterprise environment where the Windows XP client is integrated with Active Directory.

Only domain-joined machines can use certificate autoenrollment. Although the autoenrollment process does not explicitly look for domain-joined machines, the Winlogon process will not activate userinit.exe unless the machine/user is part of a domain.

Autoenrollment Timing

The autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated.

For additional information, see Updating Group Policy.

  Unlocking the workstation does not trigger autoenrollmentonly a full interactive logon or a Group Policy refresh will initiate the Winlogon trigger.

The Autoenrollment Process

The autoenrollment feature handles all aspects of certificate enrollment, renewal, and certificate housekeepingexcept in the case where user interaction is explicitly defined on a certificate template in Active Directory. When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine; for example, root CA certificates, cross-certificates, and the NTAuth container. The autoenrollment process also downloads certificate templates from the forest and caches the list in the registry at the same time. The last step performed by autoenrollment is user-object cleanup (userCertificate attribute) in Active Directory. Revoked, expired, and superseded certificates are removed from the user object automatically; however, expired certificates are not removed unless a new valid certificate is issued at the same time. Certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously.

Requirements List

The autoenrollment process will then process the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user. The machine and/or user must also have the Read ACE set on the template or the template will not be enumerated. The users or machines MY (personal) store will also be processed at this time to look for revoked certificates, certificates without private keys, time invalid certificates and so on, and add these certificates to the requirements list. For more information about certificate stores, refer to the Microsoft Platform SDK: http://msdn.microsoft.com/library/en-us/security/security/managing_certificates_with_certificate_stores.asp

It is very possible that a user may have a certificate in the MY store but not have permissions set on a template access control list (ACL) in Active Directory. These will be processed and added to the list, but enrollment will most likely fail due to the fact that the template permissions do not allow enrollment/renewal at the updated point in time.

Items in the requirements list may be removed if an appropriate valid certificate is found in the MY store. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user object and the requirement will be removed from the list, if successful.

 
Note:
  Checking Active Directory for the presence of an existing certificate associated with the user or machine object can affect performance and may delay autoenrollment processing due to the network and directory requirements for performing this operation. This is because the actual certificates in the userCertificate attribute will be downloaded and examined. When this happens, the directory cannot be queried via Light Weight Directory Access Protocol (LDAP) to simply respond whether a given certificate type exists without downloading and processing the certificates locally.

Autoenrollment also manages the CryptoAPI REQUEST store for the user. This process enumerates each pending request in the store and then installs the pending certificate, if possible, from the issuing CA. If a certificate is to be archived or deleted, based on the certificate template rule, it will be processed as follows:

If a request already exists in the REQUEST store, this certificate will be removed from the summarized requirements list.
If a request has been pending for more than 60 days, the request will be deleted and the requirements list will remain as-is.

Autoenrollment can be used to retrieve pending requests only for certificates with template information, for example, an initial request involving a certificate template. The autoenroll ACL on the certificate template is not necessary for the autoenrollment process to retrieve a pending certificate request. If the user enrolls via a Web page and the certificate request is pending, autoenrollment will retrieve the pending request for the user.

Template supersede rules will be evaluated and appropriate additions and deletions will be processed for the requirements list. For example, if the template says "X supersedes Y ", it means that if you have been told to enroll for X and Y, you really only need X. If you only have Y, you still must get X. This is the last step in rule processing. After it is done, the requirements list is complete.

For each template that does not require user interaction, the autoenrollment process will create the requests in the background and submit them to a CA. Once this is done, the requirements list is updated.

Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment. If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline.

If a certificate is issued from the CA, it is installed in the users or machines MY store. If the certificate is pended [specified by the CA Manager approval check box in the Certificate Template Microsoft Management Console (MMC) snap-in], the request information is saved in the REQUEST store.

Balloon User Interface

For each request that requires user interaction as per the certificate template, the balloon user interface (UI) is invoked.
Approximately 60 seconds after logon, the balloon UI is displayed. If no user interaction is explicitly defined on the certificate template, no UI will be displayed to the user. This delay is incorporated to allow for speedy application and shell response times during the logon and booting of the client machine.
If the 60-second delay is not desired, the following registry key may be added on a per-user basis.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEExpress

Using this key in a normal production environment is not recommended. If it is used, it must be created on a per-user basis.

 
Important:
  Machine certificates do not support user interaction and should not be configured to require this setting.
The balloon UI waits for the user to see the balloon and is activated by a mouse click. Note that after approximately 15 seconds, the balloon pop-up window is replaced in the notification area by a certificate icon that may be activated by a mouse click.
If no activation occurs within seven hours, the taskbar icon will disappear and the silent thread will re-activate at the next logon, machine reboot, or Group Policy refresh interval, whichever is first.
Once the user activates the UI, the REQUEST store is checked first for pending requests.

Issuing the Template

Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate.

The client contacts a CA through a Distributed Component Object Model (DCOM) interface and supplies a security context through DCOM to provide an authenticated request. The default policy module of the Microsoft Enterprise CA enforces certificate profiles and enrollment security as defined by the templates.

If the certification authority is set to pend the request for an administrator or certificate manager to examine and approve, autoenrollment will periodically query the CA during every Group Policy refresh interval for approved requests. Autoenrollment will also re-enroll templates when Reenroll all certificate holders has been set in Group Policy. For more information, see Certificate Renewal.

Certification Authority Interfaces

The following methods are used by the autoenrollment process for contacting and enrolling against a Microsoft Enterprise CA.
GetCAProperty
Submit
GetLastStatus
GetRequestId
GetFullResponseProperty
GetCertificate
Release
RetrievePending

These methods can be found in the Platform SDK at http://msdn.microsoft.com/library/default.asp Configuring the Certificate Templates

This section covers how to configure certificate templates and provides a step-by-step example of how to create a new template for the autoenrollment of a smart card. Certificate template permissions are also explained.

Key Point

A version 2 certificate template must first be created in Active Directory to enable autoenrollment.

Default Settings

The following are default settings.
Only root domain administrators or explicitly delegated users in Active Directory may configure templates in a domain that has been upgraded from Windows 2000 Server.
Both domain administrators from the root domain and enterprise administrators for fresh installations of Windows Server 2003 domains may configure templates.
Certificate template ACLs are viewed in the Certificate Templates MMC snap-in.
Certificate templates can be cloned or edited using the Certificate Templates MMC snap-in.
 
Note:
  Only a domain with the Windows Server 2003 schema will support version 2 templates, and only a Windows Server 2003, Enterprise Edition or Datacenter Edition certification authority may issue a version 2 template certificate.

Creating a New Template for the Autoenrollment of a Smart Card

To create a new template for autoenrollment of a smart card
1. Log on as a domain administrator.
2. Click the Start button, and then click Run.
3. In the Run dialog box, in the Open box, type mmc.exe, and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Add Standalone Snap-in dialog box, click Certificate Templates, and then click Add.
 
Note:
  The Certificate Templates MMC snap-in is available on the Server version of Windows Server 2003 or on Windows XP Professional through the Administration Tools Pack installation on the Server media.
7. Click Close.
8. Click OK.
 
Note:
  The Certificate Templates MMC snap-in may also be invoked using the Certification Authority MMC snap-in by selecting the Certificate Templates folder, right-clicking, and then selecting Manage.
9. In the console tree, click Certificate Templates.
10. In the details pane, right-click the Smartcard User template, and then click Duplicate Template

 

Payless MCSE Boot camp offers Payless MCSE boot camp, MCSE training boot camp, MCSE certification boot camp, MCSE Cisco Boot camp, MCSE Certification training boot camp. MCSE Training certification boot camp, MCSE Boot Training Camp, MCSE boot certification camp, MCSE UK Boot camp, MCSE san Mateo Boot camp, MCSE Japan boot camp, MCSE USA Boot camp, MCSE Europe Boot camp, MCSE guaranteed boot camp.

  • Do you want to become  Real MCSE, CCNA or CCNP certified?
     
  • Do you want to Payless for certification?
     
  • Do you want to finish in 2/3 weeks?

 



 

 

MCSE Bootcamp Training - Cheapest, Fast, Guaranteed MCSE certification Japan

 

MCSE Guide

Free MCSE
Free MCSE Training
MCSE
MCSE 2003
MCSE Books
MCSE Boot Camp
MCSE Brain dumps
MCSE Certification
MCSE Exam
MCSE Free
MCSE Jobs
MCSE Logo
MCSE Online
MCSE Online Training
MCSE Practice
MCSE Practice Exams
MCSE Practice Tests
MCSE Requirements
MCSE Resume
MCSE Salary
MCSE Self Paced Training Kit
MCSE Study
MCSE Study Guide
MCSE Study Guides
MCSE Test
MCSE Testing
MCSE Training
MCSE Training Kit
MCSE Training Video
MCSE Windows 2003
Microsoft MCSE Training
Training MCSE
Windows 2003 MCSE

 

 

MCSE : Security Specialist

GET CERTIFIED IN JUST 18 DAYS - 2003 PATH

Our 18 day accelerated MCSE 2003: Security+ Training BootCamp provides information technology professionals with the knowledge and skills necessary to install, configure, support, and troubleshoot Microsoft® Windows 2000- and 2003-based networks with a focus on information security in the enterprise. This is an accelerated course, designed for computer professionals that require effective, real-world skill-building and timely certification.

Now Available MCSE Certification Training

The MCSE 2003: Security+ Boot Camp delivers the greatest value on the market for Windows 2003 Certification Training. During the program, students will achieve the following certifications:

  • Microsoft Certified Professional (MCP)
  • Microsoft Certified Systems Administrator (MCSA)
  • CompTIA Security+
  • Microsoft Certified Systems Engineer (MCSE) 

Call About Onsite Courses at your location

  • Course Schedule
  • Curriculum

Microsoft MCSE MCSA Certification Training Boot Camp Class Course

The MCSE Boot Camp is unlike any other.  With our  class, you will learn more.

Our MCSE 2003: Security+ Accelerated Certification Program is the most effective, efficient way to learn how to successfully design, plan, and implement a network infrastructure, Active Directory® infrastructure, and client deployment on the Windows Server 2003 platform. 

Daily lectures, labs, and review sessions are supplemented by a combination of:

  • Proprietary Lab Manual & Microsoft Courseware - developed in conjunction with Microsoft, adapting Microsoft Official Curriculum to address the demands of accelerated learners
  • Authorized CompTIA Security+ Lab Manual & Courseware
  • Self Test™ or Transcender® Testing Software

18-day Boot Camp Class

The MCSE 2003: Security+ Program prepares students to achieve four (4) certifications during the program: MCSE 2003, MCSA 2003, MCP, and CompTIA Security+.

Our program for Microsoft certification is the most comprehensive, flexible educational format available.

Your training may also be partially tax-deductible.

Curriculum for the accelerated Microsoft Windows Training Course

The school's primary goal is your education.
We provide thorough instructor-led training to ensure that you learn the fundamentals, obtain hands-on skills and earn your certification. You will emerge able to immediately apply your new knowledge in your career environment. 

We have an aggressive educational class schedule that thoroughly covers all essential elements necessary to become Microsoft certified.

    Day 1-5 Installing, Configuring, and Administering Microsoft Windows XP Professional   70-270
    Day 6-7 Managing and Maintaining a Microsoft Windows Server 2003 Environment   70-290
    Day 8-9 CompTIA Security+  SY0-101
    Day 10-13 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure   70-291
    Day 14 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure   70-294
    Day 15-16 Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure   70-297
    Day 17 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure   70-293
    Day 18 Final Review/Makeup Day

Primarily because of its scalability and reliability, this architecture combination is well suited to large ecommerce sites with mission-critical applications and site availability. The Linux/Apache combination offers more than enough scalability to serve even heavy-duty business-to-business ecommerce applications, server farms and virtual private networks (VPNs). Business-to-consumer ecommerce sites with variable usage and deep pockets might benefit from Apache’s load-balancing features. ColdFusion enables very rapid site deployment, with more than enough out- of-the-box functionality for fast creation of sophisticated and dynamic (if not exceptionally innovative) online applications.

asp/iis/nt

This integrated architecture is a cost-effective proposition, particularly for companies already invested in Microsoft technologies. Windows NT Server Enterprise Edition comes with many useful elements, including Web hosting, proxy, index, messaging, database, transaction and firewall services. Although these elements are available for Apache/Linux or can be gotten from third- party vendors for the Linux OS, they must be separately integrated under Linux and can make for substantial time demands on system administrators.

As Smith says, “The number one advantage of ASP, in my opinion, is that it’s made by Microsoft.” The company’s influence has bred a stable of compatible products that make NT a good value proposition and the default choice for webmasters already familiar with Windows products, and for companies already invested in the Microsoft Distributed InterNet Application Architecture (DNA).

More ecommerce applications are available for NT than for any other platform, and Microsoft shops already endowed with VB or ASP programmers are likely to want to leverage that investment as much as possible by sticking to the Microsoft platform.

NT is also popular for the relative simplicity of its interface. The Windows GUI makes administration for inexperienced webmasters possible (although, of course, trouble lurks, especially in the arenas of advanced functions such as security and clustering).

Some debate rages over the common plaint that NT is less stable and scalable than UNIX-based systems. A few proponents, such as Zor Gorelov, president and CEO of BuzzCompany.com (www.iasoft.com), a developer of a source-level utility that converts ColdFusion tags to ASP scripts, argue for NT’s equality. Others suggest that a truly scalable solution must be bought from a third-party vendor. In any case, the existence of vast NT server farms such as that behind Toys ‘R’ Us seem to indicate that by workaround or will, scalability is attainable through NT. If you believe in conventional wisdom and don’t have expert NT technicians, however, you might want to put your business-to-consumer ecommerce site on something more UNIX-like.

IIS is as powerful and easier to set up and maintain than Apache. It is also compatible with a better set of development tools, such as Visual InterDev and Visual Studio, and with supporting products such as SQL Server. Its SMP capabilities provide ample processing power for most small-to-medium sites, although for ultra heavy- duty sites, multiprocessor UNIX boxes are your best bet. IIS marries its own Web services with the Windows NT system and networking functions, as well as with Microsoft’s Transaction Server 2.0 (for distributed applications). Other perks of the system include Index Server (for indexing HTML pages), Site Analyst (for site management and traffic monitoring) and Mail Server (for non-POP3 mail traffic). In addition to ASP, IIS server supports Microsoft DNA technologies such as ActiveX and Visual Basic (VB). These components make SQL database integration and application scripting a virtual snap for developers friendly with the Microsoft family.

 

 


© Vibrant Worldwide Inc.