CCNP Boot Camp UK 

How Autoenrollment Works

Updated: January 01, 2003
This section discusses how autoenrollment works, including autoenrollment and Winlogon, an analysis of the components of the autoenrollment process, and working with certification authority interfaces.

Key Points

Autoenrollment works best in a Windows Server 2003 Enterprise environment where the Windows XP client is integrated with Active Directory.

Only domain-joined machines can use certificate autoenrollment. Although the autoenrollment process does not explicitly look for domain-joined machines, the Winlogon process will not activate userinit.exe unless the machine/user is part of a domain.

Autoenrollment Timing

The autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated.

For additional information, see Updating Group Policy.

  Unlocking the workstation does not trigger autoenrollmentonly a full interactive logon or a Group Policy refresh will initiate the Winlogon trigger.

The Autoenrollment Process

The autoenrollment feature handles all aspects of certificate enrollment, renewal, and certificate housekeepingexcept in the case where user interaction is explicitly defined on a certificate template in Active Directory. When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine; for example, root CA certificates, cross-certificates, and the NTAuth container. The autoenrollment process also downloads certificate templates from the forest and caches the list in the registry at the same time. The last step performed by autoenrollment is user-object cleanup (userCertificate attribute) in Active Directory. Revoked, expired, and superseded certificates are removed from the user object automatically; however, expired certificates are not removed unless a new valid certificate is issued at the same time. Certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously.

Requirements List

The autoenrollment process will then process the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user. The machine and/or user must also have the Read ACE set on the template or the template will not be enumerated. The users or machines MY (personal) store will also be processed at this time to look for revoked certificates, certificates without private keys, time invalid certificates and so on, and add these certificates to the requirements list. For more information about certificate stores, refer to the Microsoft Platform SDK: http://msdn.microsoft.com/library/en-us/security/security/managing_certificates_with_certificate_stores.asp

It is very possible that a user may have a certificate in the MY store but not have permissions set on a template access control list (ACL) in Active Directory. These will be processed and added to the list, but enrollment will most likely fail due to the fact that the template permissions do not allow enrollment/renewal at the updated point in time.

Items in the requirements list may be removed if an appropriate valid certificate is found in the MY store. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user object and the requirement will be removed from the list, if successful.

 
Note:
  Checking Active Directory for the presence of an existing certificate associated with the user or machine object can affect performance and may delay autoenrollment processing due to the network and directory requirements for performing this operation. This is because the actual certificates in the userCertificate attribute will be downloaded and examined. When this happens, the directory cannot be queried via Light Weight Directory Access Protocol (LDAP) to simply respond whether a given certificate type exists without downloading and processing the certificates locally.

Autoenrollment also manages the CryptoAPI REQUEST store for the user. This process enumerates each pending request in the store and then installs the pending certificate, if possible, from the issuing CA. If a certificate is to be archived or deleted, based on the certificate template rule, it will be processed as follows:

If a request already exists in the REQUEST store, this certificate will be removed from the summarized requirements list.
If a request has been pending for more than 60 days, the request will be deleted and the requirements list will remain as-is.

Autoenrollment can be used to retrieve pending requests only for certificates with template information, for example, an initial request involving a certificate template. The autoenroll ACL on the certificate template is not necessary for the autoenrollment process to retrieve a pending certificate request. If the user enrolls via a Web page and the certificate request is pending, autoenrollment will retrieve the pending request for the user.

Template supersede rules will be evaluated and appropriate additions and deletions will be processed for the requirements list. For example, if the template says "X supersedes Y ", it means that if you have been told to enroll for X and Y, you really only need X. If you only have Y, you still must get X. This is the last step in rule processing. After it is done, the requirements list is complete.

For each template that does not require user interaction, the autoenrollment process will create the requests in the background and submit them to a CA. Once this is done, the requirements list is updated.

Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment. If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline.

If a certificate is issued from the CA, it is installed in the users or machines MY store. If the certificate is pended [specified by the CA Manager approval check box in the Certificate Template Microsoft Management Console (MMC) snap-in], the request information is saved in the REQUEST store.

Balloon User Interface

For each request that requires user interaction as per the certificate template, the balloon user interface (UI) is invoked.
Approximately 60 seconds after logon, the balloon UI is displayed. If no user interaction is explicitly defined on the certificate template, no UI will be displayed to the user. This delay is incorporated to allow for speedy application and shell response times during the logon and booting of the client machine.
If the 60-second delay is not desired, the following registry key may be added on a per-user basis.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEExpress

Using this key in a normal production environment is not recommended. If it is used, it must be created on a per-user basis.

 
Important:
  Machine certificates do not support user interaction and should not be configured to require this setting.
The balloon UI waits for the user to see the balloon and is activated by a mouse click. Note that after approximately 15 seconds, the balloon pop-up window is replaced in the notification area by a certificate icon that may be activated by a mouse click.
If no activation occurs within seven hours, the taskbar icon will disappear and the silent thread will re-activate at the next logon, machine reboot, or Group Policy refresh interval, whichever is first.
Once the user activates the UI, the REQUEST store is checked first for pending requests.

Issuing the Template

Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate.

The client contacts a CA through a Distributed Component Object Model (DCOM) interface and supplies a security context through DCOM to provide an authenticated request. The default policy module of the Microsoft Enterprise CA enforces certificate profiles and enrollment security as defined by the templates.

If the certification authority is set to pend the request for an administrator or certificate manager to examine and approve, autoenrollment will periodically query the CA during every Group Policy refresh interval for approved requests. Autoenrollment will also re-enroll templates when Reenroll all certificate holders has been set in Group Policy. For more information, see Certificate Renewal.

Certification Authority Interfaces

The following methods are used by the autoenrollment process for contacting and enrolling against a Microsoft Enterprise CA.
GetCAProperty
Submit
GetLastStatus
GetRequestId
GetFullResponseProperty
GetCertificate
Release
RetrievePending

These methods can be found in the Platform SDK at http://msdn.microsoft.com/library/default.asp Configuring the Certificate Templates

This section covers how to configure certificate templates and provides a step-by-step example of how to create a new template for the autoenrollment of a smart card. Certificate template permissions are also explained.

Key Point

A version 2 certificate template must first be created in Active Directory to enable autoenrollment.

Default Settings

The following are default settings.
Only root domain administrators or explicitly delegated users in Active Directory may configure templates in a domain that has been upgraded from Windows 2000 Server.
Both domain administrators from the root domain and enterprise administrators for fresh installations of Windows Server 2003 domains may configure templates.
Certificate template ACLs are viewed in the Certificate Templates MMC snap-in.
Certificate templates can be cloned or edited using the Certificate Templates MMC snap-in.
 
Note:
  Only a domain with the Windows Server 2003 schema will support version 2 templates, and only a Windows Server 2003, Enterprise Edition or Datacenter Edition certification authority may issue a version 2 template certificate.

Creating a New Template for the Autoenrollment of a Smart Card

To create a new template for autoenrollment of a smart card
1. Log on as a domain administrator.
2. Click the Start button, and then click Run.
3. In the Run dialog box, in the Open box, type mmc.exe, and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Add Standalone Snap-in dialog box, click Certificate Templates, and then click Add.
 
Note:
  The Certificate Templates MMC snap-in is available on the Server version of Windows Server 2003 or on Windows XP Professional through the Administration Tools Pack installation on the Server media.
7. Click Close.
8. Click OK.
 
Note:
  The Certificate Templates MMC snap-in may also be invoked using the Certification Authority MMC snap-in by selecting the Certificate Templates folder, right-clicking, and then selecting Manage.
9. In the console tree, click Certificate Templates.
10. In the details pane, right-click the Smartcard User template, and then click Duplicate Template

 

Payless MCSE Boot camp offers Payless MCSE boot camp, MCSE training boot camp, MCSE certification boot camp, MCSE Cisco Boot camp, MCSE Certification training boot camp. MCSE Training certification boot camp, MCSE Boot Training Camp, MCSE boot certification camp, MCSE UK Boot camp, MCSE san Mateo Boot camp, MCSE Japan boot camp, MCSE USA Boot camp, MCSE Europe Boot camp, MCSE guaranteed boot camp.

  • Do you want to become  Real MCSE, CCNA or CCNP certified?
     
  • Do you want to Payless for certification?
     
  • Do you want to finish in 2/3 weeks?

 



 

 

MCSE Bootcamp Training - Cheapest, Fast, Guaranteed MCSE certification

 

MCSE Guide

Free MCSE
Free MCSE Training
MCSE
MCSE 2003
MCSE Books
MCSE Boot Camp
MCSE Brain dumps
MCSE Certification
MCSE Exam
MCSE Free
MCSE Jobs
MCSE Logo
MCSE Online
MCSE Online Training
MCSE Practice
MCSE Practice Exams
MCSE Practice Tests
MCSE Requirements
MCSE Resume
MCSE Salary
MCSE Self Paced Training Kit
MCSE Study
MCSE Study Guide
MCSE Study Guides
MCSE Test
MCSE Testing
MCSE Training
MCSE Training Kit
MCSE Training Video
MCSE Windows 2003
Microsoft MCSE Training
Training MCSE
Windows 2003 MCSE

 

 

MCSE : Security Specialist

GET CERTIFIED IN JUST 18 DAYS - 2003 PATH

Our 18 day accelerated MCSE 2003: Security+ Training BootCamp provides information technology professionals with the knowledge and skills necessary to install, configure, support, and troubleshoot Microsoft® Windows 2000- and 2003-based networks with a focus on information security in the enterprise. This is an accelerated course, designed for computer professionals that require effective, real-world skill-building and timely certification.

Now Available MCSE Certification Training

The MCSE 2003: Security+ Boot Camp delivers the greatest value on the market for Windows 2003 Certification Training. During the program, students will achieve the following certifications:

  • Microsoft Certified Professional (MCP)
  • Microsoft Certified Systems Administrator (MCSA)
  • CompTIA Security+
  • Microsoft Certified Systems Engineer (MCSE) 

Call About Onsite Courses at your location

  • Course Schedule
  • Curriculum

Microsoft MCSE MCSA Certification Training Boot Camp Class Course

The MCSE Boot Camp is unlike any other.  With our  class, you will learn more.

Our MCSE 2003: Security+ Accelerated Certification Program is the most effective, efficient way to learn how to successfully design, plan, and implement a network infrastructure, Active Directory® infrastructure, and client deployment on the Windows Server 2003 platform. 

Daily lectures, labs, and review sessions are supplemented by a combination of:

  • Proprietary Lab Manual & Microsoft Courseware - developed in conjunction with Microsoft, adapting Microsoft Official Curriculum to address the demands of accelerated learners
  • Authorized CompTIA Security+ Lab Manual & Courseware
  • Self Test™ or Transcender® Testing Software

18-day Boot Camp Class

The MCSE 2003: Security+ Program prepares students to achieve four (4) certifications during the program: MCSE 2003, MCSA 2003, MCP, and CompTIA Security+.

Our program for Microsoft certification is the most comprehensive, flexible educational format available.

Your training may also be partially tax-deductible.

Also on the hardware front, Compaq used CES to launch its EZ2000 series of Internet PCs. Aimed at the home/ SOHO market, the series is built around ease of use and includes easy-release panels for access to memory, USB and IEEE 1394 ports for quick plug-and-play expansion and a built-in Internet camera for creating video emails.

 

Canon was among the leaders in new SOHO peripherals at CES. A trio of new color printers will bring 720-by- 320 pixel resolution for as little as $69; and the CanoScan FB 620U color scanner boasts USB connectivity for $129.

Some gadgets at CES were more gadgety than others:

• Casio introduced its Cassiopeia Pocket Viewer PV200A, which gets 55 hours of 2 MB performance from a pair of AAA batteries;

• Antec unveiled the Attaché portable color scanner, which it touts as completely road-ready thanks to its low power consumption and 12-oz. weight;

• Q-PC brought out its Real Car Computer, which it calls the first Windows 98–based in-car computer;

• PocketScience showed off PocketMail BackFlip, a small device that snaps onto the back of the Palm organizer, letting users send and receive email and faxes from any landline or wireless phone;

• Think Outside debuted the Stowaway, the first full-size keyboard that can be folded and carried in a shirt pocket; and

• Hewlett-Packard introduced its Pavilion line of desktop and notebook PCs. The top-of-the-line N3290 boasts a 500 MHz Pentium II chip; 6x DVD, 56K V.90 modem and 6 GB hard drive; and Polk Audio stereo speakers with external audio controls. —Dan Heilman

 


© Vibrant Worldwide Inc.