CCNP Boot Camp UK 

How Autoenrollment Works

Updated: January 01, 2003
This section discusses how autoenrollment works, including autoenrollment and Winlogon, an analysis of the components of the autoenrollment process, and working with certification authority interfaces.

Key Points

Autoenrollment works best in a Windows Server 2003 Enterprise environment where the Windows XP client is integrated with Active Directory.

Only domain-joined machines can use certificate autoenrollment. Although the autoenrollment process does not explicitly look for domain-joined machines, the Winlogon process will not activate userinit.exe unless the machine/user is part of a domain.

Autoenrollment Timing

The autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated.

For additional information, see Updating Group Policy.

  Unlocking the workstation does not trigger autoenrollmentonly a full interactive logon or a Group Policy refresh will initiate the Winlogon trigger.

The Autoenrollment Process

The autoenrollment feature handles all aspects of certificate enrollment, renewal, and certificate housekeepingexcept in the case where user interaction is explicitly defined on a certificate template in Active Directory. When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine; for example, root CA certificates, cross-certificates, and the NTAuth container. The autoenrollment process also downloads certificate templates from the forest and caches the list in the registry at the same time. The last step performed by autoenrollment is user-object cleanup (userCertificate attribute) in Active Directory. Revoked, expired, and superseded certificates are removed from the user object automatically; however, expired certificates are not removed unless a new valid certificate is issued at the same time. Certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously.

Requirements List

The autoenrollment process will then process the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user. The machine and/or user must also have the Read ACE set on the template or the template will not be enumerated. The users or machines MY (personal) store will also be processed at this time to look for revoked certificates, certificates without private keys, time invalid certificates and so on, and add these certificates to the requirements list. For more information about certificate stores, refer to the Microsoft Platform SDK: http://msdn.microsoft.com/library/en-us/security/security/managing_certificates_with_certificate_stores.asp

It is very possible that a user may have a certificate in the MY store but not have permissions set on a template access control list (ACL) in Active Directory. These will be processed and added to the list, but enrollment will most likely fail due to the fact that the template permissions do not allow enrollment/renewal at the updated point in time.

Items in the requirements list may be removed if an appropriate valid certificate is found in the MY store. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user object and the requirement will be removed from the list, if successful.

 
Note:
  Checking Active Directory for the presence of an existing certificate associated with the user or machine object can affect performance and may delay autoenrollment processing due to the network and directory requirements for performing this operation. This is because the actual certificates in the userCertificate attribute will be downloaded and examined. When this happens, the directory cannot be queried via Light Weight Directory Access Protocol (LDAP) to simply respond whether a given certificate type exists without downloading and processing the certificates locally.

Autoenrollment also manages the CryptoAPI REQUEST store for the user. This process enumerates each pending request in the store and then installs the pending certificate, if possible, from the issuing CA. If a certificate is to be archived or deleted, based on the certificate template rule, it will be processed as follows:

If a request already exists in the REQUEST store, this certificate will be removed from the summarized requirements list.
If a request has been pending for more than 60 days, the request will be deleted and the requirements list will remain as-is.

Autoenrollment can be used to retrieve pending requests only for certificates with template information, for example, an initial request involving a certificate template. The autoenroll ACL on the certificate template is not necessary for the autoenrollment process to retrieve a pending certificate request. If the user enrolls via a Web page and the certificate request is pending, autoenrollment will retrieve the pending request for the user.

Template supersede rules will be evaluated and appropriate additions and deletions will be processed for the requirements list. For example, if the template says "X supersedes Y ", it means that if you have been told to enroll for X and Y, you really only need X. If you only have Y, you still must get X. This is the last step in rule processing. After it is done, the requirements list is complete.

For each template that does not require user interaction, the autoenrollment process will create the requests in the background and submit them to a CA. Once this is done, the requirements list is updated.

Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment. If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline.

If a certificate is issued from the CA, it is installed in the users or machines MY store. If the certificate is pended [specified by the CA Manager approval check box in the Certificate Template Microsoft Management Console (MMC) snap-in], the request information is saved in the REQUEST store.

Balloon User Interface

For each request that requires user interaction as per the certificate template, the balloon user interface (UI) is invoked.
Approximately 60 seconds after logon, the balloon UI is displayed. If no user interaction is explicitly defined on the certificate template, no UI will be displayed to the user. This delay is incorporated to allow for speedy application and shell response times during the logon and booting of the client machine.
If the 60-second delay is not desired, the following registry key may be added on a per-user basis.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEExpress

Using this key in a normal production environment is not recommended. If it is used, it must be created on a per-user basis.

 
Important:
  Machine certificates do not support user interaction and should not be configured to require this setting.
The balloon UI waits for the user to see the balloon and is activated by a mouse click. Note that after approximately 15 seconds, the balloon pop-up window is replaced in the notification area by a certificate icon that may be activated by a mouse click.
If no activation occurs within seven hours, the taskbar icon will disappear and the silent thread will re-activate at the next logon, machine reboot, or Group Policy refresh interval, whichever is first.
Once the user activates the UI, the REQUEST store is checked first for pending requests.

Issuing the Template

Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate.

The client contacts a CA through a Distributed Component Object Model (DCOM) interface and supplies a security context through DCOM to provide an authenticated request. The default policy module of the Microsoft Enterprise CA enforces certificate profiles and enrollment security as defined by the templates.

If the certification authority is set to pend the request for an administrator or certificate manager to examine and approve, autoenrollment will periodically query the CA during every Group Policy refresh interval for approved requests. Autoenrollment will also re-enroll templates when Reenroll all certificate holders has been set in Group Policy. For more information, see Certificate Renewal.

Certification Authority Interfaces

The following methods are used by the autoenrollment process for contacting and enrolling against a Microsoft Enterprise CA.
GetCAProperty
Submit
GetLastStatus
GetRequestId
GetFullResponseProperty
GetCertificate
Release
RetrievePending

These methods can be found in the Platform SDK at http://msdn.microsoft.com/library/default.asp Configuring the Certificate Templates

This section covers how to configure certificate templates and provides a step-by-step example of how to create a new template for the autoenrollment of a smart card. Certificate template permissions are also explained.

Key Point

A version 2 certificate template must first be created in Active Directory to enable autoenrollment.

Default Settings

The following are default settings.
Only root domain administrators or explicitly delegated users in Active Directory may configure templates in a domain that has been upgraded from Windows 2000 Server.
Both domain administrators from the root domain and enterprise administrators for fresh installations of Windows Server 2003 domains may configure templates.
Certificate template ACLs are viewed in the Certificate Templates MMC snap-in.
Certificate templates can be cloned or edited using the Certificate Templates MMC snap-in.
 
Note:
  Only a domain with the Windows Server 2003 schema will support version 2 templates, and only a Windows Server 2003, Enterprise Edition or Datacenter Edition certification authority may issue a version 2 template certificate.

Creating a New Template for the Autoenrollment of a Smart Card

To create a new template for autoenrollment of a smart card
1. Log on as a domain administrator.
2. Click the Start button, and then click Run.
3. In the Run dialog box, in the Open box, type mmc.exe, and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Add Standalone Snap-in dialog box, click Certificate Templates, and then click Add.
 
Note:
  The Certificate Templates MMC snap-in is available on the Server version of Windows Server 2003 or on Windows XP Professional through the Administration Tools Pack installation on the Server media.
7. Click Close.
8. Click OK.
 
Note:
  The Certificate Templates MMC snap-in may also be invoked using the Certification Authority MMC snap-in by selecting the Certificate Templates folder, right-clicking, and then selecting Manage.
9. In the console tree, click Certificate Templates.
10. In the details pane, right-click the Smartcard User template, and then click Duplicate Template

 

Payless MCSE Boot camp offers Payless MCSE boot camp, MCSE training boot camp, MCSE certification boot camp, MCSE Cisco Boot camp, MCSE Certification training boot camp. MCSE Training certification boot camp, MCSE Boot Training Camp, MCSE boot certification camp, MCSE UK Boot camp, MCSE san Mateo Boot camp, MCSE Japan boot camp, MCSE USA Boot camp, MCSE Europe Boot camp, MCSE guaranteed boot camp.

  • Do you want to become  Real MCSE, CCNA or CCNP certified?
     
  • Do you want to Payless for certification?
     
  • Do you want to finish in 2/3 weeks?

 



 

 

MCSE Bootcamp Training - Cheapest, Fast, Guaranteed MCSE certification

 

MCSE Guide

Free MCSE
Free MCSE Training
MCSE
MCSE 2003
MCSE Books
MCSE Boot Camp
MCSE Brain dumps
MCSE Certification
MCSE Exam
MCSE Free
MCSE Jobs
MCSE Logo
MCSE Online
MCSE Online Training
MCSE Practice
MCSE Practice Exams
MCSE Practice Tests
MCSE Requirements
MCSE Resume
MCSE Salary
MCSE Self Paced Training Kit
MCSE Study
MCSE Study Guide
MCSE Study Guides
MCSE Test
MCSE Testing
MCSE Training
MCSE Training Kit
MCSE Training Video
MCSE Windows 2003
Microsoft MCSE Training
Training MCSE
Windows 2003 MCSE

 

 

MCSE : Security Specialist

GET CERTIFIED IN JUST 18 DAYS - 2003 PATH

Our 18 day accelerated MCSE 2003: Security+ Training BootCamp provides information technology professionals with the knowledge and skills necessary to install, configure, support, and troubleshoot Microsoft® Windows 2000- and 2003-based networks with a focus on information security in the enterprise. This is an accelerated course, designed for computer professionals that require effective, real-world skill-building and timely certification.

Now Available MCSE Certification Training

The MCSE 2003: Security+ Boot Camp delivers the greatest value on the market for Windows 2003 Certification Training. During the program, students will achieve the following certifications:

  • Microsoft Certified Professional (MCP)
  • Microsoft Certified Systems Administrator (MCSA)
  • CompTIA Security+
  • Microsoft Certified Systems Engineer (MCSE) 

Call About Onsite Courses at your location

  • Course Schedule
  • Curriculum

Microsoft MCSE MCSA Certification Training Boot Camp Class Course

The MCSE Boot Camp is unlike any other.  With our  class, you will learn more.

Our MCSE 2003: Security+ Accelerated Certification Program is the most effective, efficient way to learn how to successfully design, plan, and implement a network infrastructure, Active Directory® infrastructure, and client deployment on the Windows Server 2003 platform. 

Daily lectures, labs, and review sessions are supplemented by a combination of:

  • Proprietary Lab Manual & Microsoft Courseware - developed in conjunction with Microsoft, adapting Microsoft Official Curriculum to address the demands of accelerated learners
  • Authorized CompTIA Security+ Lab Manual & Courseware
  • Self Test™ or Transcender® Testing Software

18-day Boot Camp Class

The MCSE 2003: Security+ Program prepares students to achieve four (4) certifications during the program: MCSE 2003, MCSA 2003, MCP, and CompTIA Security+.

Our program for Microsoft certification is the most comprehensive, flexible educational format available.

Your training may also be partially tax-deductible.

Curriculum for the accelerated Microsoft Windows Training Course

The school's primary goal is your education.
We provide thorough instructor-led training to ensure that you learn the fundamentals, obtain hands-on skills and earn your certification. You will emerge able to immediately apply your new knowledge in your career environment. 

We have an aggressive educational class schedule that thoroughly covers all essential elements necessary to become Microsoft certified.

    Day 1-5 Installing, Configuring, and Administering Microsoft Windows XP Professional   70-270
    Day 6-7 Managing and Maintaining a Microsoft Windows Server 2003 Environment   70-290
    Day 8-9 CompTIA Security+  SY0-101
    Day 10-13 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure   70-291
    Day 14 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure   70-294
    Day 15-16 Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure   70-297
    Day 17 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure   70-293
    Day 18 Final Review/Makeup Day

Our daily schedule incorporates different modes of instruction and learning environments to ensure that students learn, retain, comprehend, and can apply knowledge critical to becoming certified.

    8:15 am to 9:00 am     Breakfast
    9:00 am to 1:00 pm     Instruction
    1:00 pm to 1:30 pm     Lunch
    1:30 pm to 5:30 pm     Instruction/Hands-on Labs
    5:30 pm to 7:30 pm     Dinner and Relaxation
    7:30 pm to 8:00 pm     Wrap Session
    8:00 pm to 9:00 pm     Practice Drills

Our MCSE 2003: Security+ Program:

  • Allows you to achieve your certifications in a fraction of the time of 'traditional training' while delivering industry-leading exam passing percentages
  • Helps students grasp complex technical concepts more easily by identifying and catering to individual student learning styles through a mixed visual, auditory and kinesthetic-tactual delivery system
  • Enhances retention by employing accelerated learning techniques focused on committing information to long-term memory
Books: Developing the right Web presence
Find the right standards for your Web site.

 

Managing the development of a large, complex Web site is much like heading up a big software project.

One key difference: Web development managers often must deal with a wider range of personalities and creative temperaments within their groups, writes Jessica Burdman in her book “Collaborative Web Development” (Addison-Wesley, $34.95, paperback).

Programmers, graphics designers and writers all work differently and often need different handling in the midst of a project. How you drive yourself as a manager also must be balanced against the needs, goals and energy level of the design team, she contends.

Burdman, director of production at Red Sky Interactive, believes that “the central problem with Web development is the lack of clear standards or methods for creating Web sites.”

 

Her carefully structured book gives solid guidelines for organizing a Web development team, getting members to buy in to the goals and methodologies and tracking progress and quality as a site is created and put into service.

The accompanying CD-ROM provides a variety of templates and documents to help ramp up a project, then keep it on track with proper specifications, approvals, quality measurements and test procedures.

In “Collaborative Web Development,” one scheme does not fit all. The author wisely has included interviews with development managers for several large Web projects. Detailed case studies focus on successes—and failures—in real-world Web development projects. “Everyone needs a good failure in order to learn something,” Burdman states.

Her book gives insights into the development of three different types of Web sites. These are: (1) static, where elements remain the same after you create them; (2) data-driven, where pages are created dynamically based on the user’s input; and (3) the still-evolving “immersive experience” sites made possible by broadband Internet access.

Being a Web development manager may require familiarity with many different software tools. In an appendix titled “Web Team Resource Guide,” the author provides quick highlights for several leading packages, including software for project management, graphics, multimedia and animation and software testing, plus other applications.

In her view, “everything depends on a good, productive and balanced team.” Clear communications and well-defined standards and processes are essential.

 


© Vibrant Worldwide Inc.