CCNP Boot Camp UK 

How Autoenrollment Works

Updated: January 01, 2003
This section discusses how autoenrollment works, including autoenrollment and Winlogon, an analysis of the components of the autoenrollment process, and working with certification authority interfaces.

Key Points

Autoenrollment works best in a Windows Server 2003 Enterprise environment where the Windows XP client is integrated with Active Directory.

Only domain-joined machines can use certificate autoenrollment. Although the autoenrollment process does not explicitly look for domain-joined machines, the Winlogon process will not activate userinit.exe unless the machine/user is part of a domain.

Autoenrollment Timing

The autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated.

For additional information, see Updating Group Policy.

  Unlocking the workstation does not trigger autoenrollmentonly a full interactive logon or a Group Policy refresh will initiate the Winlogon trigger.

The Autoenrollment Process

The autoenrollment feature handles all aspects of certificate enrollment, renewal, and certificate housekeepingexcept in the case where user interaction is explicitly defined on a certificate template in Active Directory. When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine; for example, root CA certificates, cross-certificates, and the NTAuth container. The autoenrollment process also downloads certificate templates from the forest and caches the list in the registry at the same time. The last step performed by autoenrollment is user-object cleanup (userCertificate attribute) in Active Directory. Revoked, expired, and superseded certificates are removed from the user object automatically; however, expired certificates are not removed unless a new valid certificate is issued at the same time. Certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously.

Requirements List

The autoenrollment process will then process the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user. The machine and/or user must also have the Read ACE set on the template or the template will not be enumerated. The users or machines MY (personal) store will also be processed at this time to look for revoked certificates, certificates without private keys, time invalid certificates and so on, and add these certificates to the requirements list. For more information about certificate stores, refer to the Microsoft Platform SDK: http://msdn.microsoft.com/library/en-us/security/security/managing_certificates_with_certificate_stores.asp

It is very possible that a user may have a certificate in the MY store but not have permissions set on a template access control list (ACL) in Active Directory. These will be processed and added to the list, but enrollment will most likely fail due to the fact that the template permissions do not allow enrollment/renewal at the updated point in time.

Items in the requirements list may be removed if an appropriate valid certificate is found in the MY store. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user object and the requirement will be removed from the list, if successful.

 
Note:
  Checking Active Directory for the presence of an existing certificate associated with the user or machine object can affect performance and may delay autoenrollment processing due to the network and directory requirements for performing this operation. This is because the actual certificates in the userCertificate attribute will be downloaded and examined. When this happens, the directory cannot be queried via Light Weight Directory Access Protocol (LDAP) to simply respond whether a given certificate type exists without downloading and processing the certificates locally.

Autoenrollment also manages the CryptoAPI REQUEST store for the user. This process enumerates each pending request in the store and then installs the pending certificate, if possible, from the issuing CA. If a certificate is to be archived or deleted, based on the certificate template rule, it will be processed as follows:

• If a request already exists in the REQUEST store, this certificate will be removed from the summarized requirements list.
• If a request has been pending for more than 60 days, the request will be deleted and the requirements list will remain as-is.

Autoenrollment can be used to retrieve pending requests only for certificates with template information, for example, an initial request involving a certificate template. The autoenroll ACL on the certificate template is not necessary for the autoenrollment process to retrieve a pending certificate request. If the user enrolls via a Web page and the certificate request is pending, autoenrollment will retrieve the pending request for the user.

Template supersede rules will be evaluated and appropriate additions and deletions will be processed for the requirements list. For example, if the template says "X supersedes Y ", it means that if you have been told to enroll for X and Y, you really only need X. If you only have Y, you still must get X. This is the last step in rule processing. After it is done, the requirements list is complete.

For each template that does not require user interaction, the autoenrollment process will create the requests in the background and submit them to a CA. Once this is done, the requirements list is updated.

Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment. If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline.

If a certificate is issued from the CA, it is installed in the users or machines MY store. If the certificate is pended [specified by the CA Manager approval check box in the Certificate Template Microsoft Management Console (MMC) snap-in], the request information is saved in the REQUEST store.

Balloon User Interface

For each request that requires user interaction as per the certificate template, the balloon user interface (UI) is invoked.
• Approximately 60 seconds after logon, the balloon UI is displayed. If no user interaction is explicitly defined on the certificate template, no UI will be displayed to the user. This delay is incorporated to allow for speedy application and shell response times during the logon and booting of the client machine.
• If the 60-second delay is not desired, the following registry key may be added on a per-user basis.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEExpress

Using this key in a normal production environment is not recommended. If it is used, it must be created on a per-user basis.

 
Important:
  Machine certificates do not support user interaction and should not be configured to require this setting.
• The balloon UI waits for the user to see the balloon and is activated by a mouse click. Note that after approximately 15 seconds, the balloon pop-up window is replaced in the notification area by a certificate icon that may be activated by a mouse click.
• If no activation occurs within seven hours, the taskbar icon will disappear and the silent thread will re-activate at the next logon, machine reboot, or Group Policy refresh interval, whichever is first.
• Once the user activates the UI, the REQUEST store is checked first for pending requests.

Issuing the Template

Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate.

The client contacts a CA through a Distributed Component Object Model (DCOM) interface and supplies a security context through DCOM to provide an authenticated request. The default policy module of the Microsoft Enterprise CA enforces certificate profiles and enrollment security as defined by the templates.

If the certification authority is set to pend the request for an administrator or certificate manager to examine and approve, autoenrollment will periodically query the CA during every Group Policy refresh interval for approved requests. Autoenrollment will also re-enroll templates when Reenroll all certificate holders has been set in Group Policy. For more information, see Certificate Renewal.

Certification Authority Interfaces

The following methods are used by the autoenrollment process for contacting and enrolling against a Microsoft Enterprise CA.
• GetCAProperty
• Submit
• GetLastStatus
• GetRequestId
• GetFullResponseProperty
• GetCertificate
• Release
• RetrievePending

These methods can be found in the Platform SDK at http://msdn.microsoft.com/library/default.asp Configuring the Certificate Templates

This section covers how to configure certificate templates and provides a step-by-step example of how to create a new template for the autoenrollment of a smart card. Certificate template permissions are also explained.

Key Point

A version 2 certificate template must first be created in Active Directory to enable autoenrollment.

Default Settings

The following are default settings.
• Only root domain administrators or explicitly delegated users in Active Directory may configure templates in a domain that has been upgraded from Windows 2000 Server.
• Both domain administrators from the root domain and enterprise administrators for fresh installations of Windows Server 2003 domains may configure templates.
• Certificate template ACLs are viewed in the Certificate Templates MMC snap-in.
• Certificate templates can be cloned or edited using the Certificate Templates MMC snap-in.
 
Note:
  Only a domain with the Windows Server 2003 schema will support version 2 templates, and only a Windows Server 2003, Enterprise Edition or Datacenter Edition certification authority may issue a version 2 template certificate.

Creating a New Template for the Autoenrollment of a Smart Card

To create a new template for autoenrollment of a smart card
1. Log on as a domain administrator.
2. Click the Start button, and then click Run.
3. In the Run dialog box, in the Open box, type mmc.exe, and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Add Standalone Snap-in dialog box, click Certificate Templates, and then click Add.
 
Note:
  The Certificate Templates MMC snap-in is available on the Server version of Windows Server 2003 or on Windows XP Professional through the Administration Tools Pack installation on the Server media.
7. Click Close.
8. Click OK.
 
Note:
  The Certificate Templates MMC snap-in may also be invoked using the Certification Authority MMC snap-in by selecting the Certificate Templates folder, right-clicking, and then selecting Manage.
9. In the console tree, click Certificate Templates.
10. In the details pane, right-click the Smartcard User template, and then click Duplicate Template

 

Payless MCSE Boot camp offers Payless MCSE boot camp, MCSE training boot camp, MCSE certification boot camp, MCSE Cisco Boot camp, MCSE Certification training boot camp. MCSE Training certification boot camp, MCSE Boot Training Camp, MCSE boot certification camp, MCSE UK Boot camp, MCSE san Mateo Boot camp, MCSE Japan boot camp, MCSE USA Boot camp, MCSE Europe Boot camp, MCSE guaranteed boot camp.

  • Do you want to become  Real MCSE, CCNA or CCNP certified?
     
  • Do you want to Payless for certification?
     
  • Do you want to finish in 2/3 weeks?

 



 

 

MCSE Bootcamp Training - Cheapest, Fast, Guaranteed MCSE certification

 

MCSE Guide

Free MCSE
Free MCSE Training
MCSE
MCSE 2003
MCSE Books
MCSE Boot Camp
MCSE Brain dumps
MCSE Certification
MCSE Exam
MCSE Free
MCSE Jobs
MCSE Logo
MCSE Online
MCSE Online Training
MCSE Practice
MCSE Practice Exams
MCSE Practice Tests
MCSE Requirements
MCSE Resume
MCSE Salary
MCSE Self Paced Training Kit
MCSE Study
MCSE Study Guide
MCSE Study Guides
MCSE Test
MCSE Testing
MCSE Training
MCSE Training Kit
MCSE Training Video
MCSE Windows 2003
Microsoft MCSE Training
Training MCSE
Windows 2003 MCSE

 

 

MCSE : Security Specialist

GET CERTIFIED IN JUST 18 DAYS - 2003 PATH

Our 18 day accelerated MCSE 2003: Security+ Training BootCamp provides information technology professionals with the knowledge and skills necessary to install, configure, support, and troubleshoot Microsoftฎ Windows 2000- and 2003-based networks with a focus on information security in the enterprise. This is an accelerated course, designed for computer professionals that require effective, real-world skill-building and timely certification.

Now Available MCSE Certification Training

The MCSE 2003: Security+ Boot Camp delivers the greatest value on the market for Windows 2003 Certification Training. During the program, students will achieve the following certifications:

  • Microsoft Certified Professional (MCP)
  • Microsoft Certified Systems Administrator (MCSA)
  • CompTIA Security+
  • Microsoft Certified Systems Engineer (MCSE) 

Call About Onsite Courses at your location

  • Course Schedule
  • Curriculum

Our daily schedule incorporates different modes of instruction and learning environments to ensure that students learn, retain, comprehend, and can apply knowledge critical to becoming certified.

    8:15 am to 9:00 am     Breakfast
    9:00 am to 1:00 pm     Instruction
    1:00 pm to 1:30 pm     Lunch
    1:30 pm to 5:30 pm     Instruction/Hands-on Labs
    5:30 pm to 7:30 pm     Dinner and Relaxation
    7:30 pm to 8:00 pm     Wrap Session
    8:00 pm to 9:00 pm     Practice Drills

Our MCSE 2003: Security+ Program:

  • Allows you to achieve your certifications in a fraction of the time of 'traditional training' while delivering industry-leading exam passing percentages
  • Helps students grasp complex technical concepts more easily by identifying and catering to individual student learning styles through a mixed visual, auditory and kinesthetic-tactual delivery system
  • Enhances retention by employing accelerated learning techniques focused on committing information to long-term memory

Wireless Communication Devices

 

You use wireless components to connect networks over distances for which standard network adapters and cable options are not technically or economically feasible. Wireless networks consist of wireless components communicating with LANs.

 

Except for the fact that a cable does not connect the computers, a typical wireless network operates almost like a cabled network: a wireless network adapter with a transceiver (a device that both transmits and receives analog and digital signals) is installed in each computer. Users communicate with the network as if they were using cabled computers.

 

There are two common techniques for wireless transmission in a LAN: infrared transmission and narrowband radio transmission.

 

  • Infrared transmission

 

Operates by using an infrared light beam to carry the data between devices.

There must be a clear line of sight between the transmitting and receiving

devices; anything that blocks the infrared signal prevents communication.

These systems must generate very strong signals because weak transmission

signals are susceptible to interference from light sources, such as windows.

 

  • Narrowband radio transmission

 

The user tunes both the transmitter and the receiver to a certain frequency. Narrowband radio does not require line-of-sight focusing because it uses radio waves. However, narrowband radio transmission is subject to interference from steel and load-bearing walls. Narrowband radio is a subscription service. Users pay a fee for radio transmission.

 

Network Topologies

 

A network topology is the arrangement of computers, cables, and other components on a network. It is a map of the physical network. The type of topology you use affects the type and capabilities of the network’s hardware, its management, and possibilities for future expansion.

 

Topology is both physical and logical:

 

  • Physical topology describes how the physical components on a network are connected.
  • Logical topology describes the way network data flows through the physical components.

 

There are five basic topologies:

  • Bus. Computers are connected to a common, shared cable.
  • Star. Computers are connected to cable segments that branch out from a central location, or hub.
  • Ring. Computers are connected to a cable that forms a loop around a central location.
  • Mesh. Computers on the network are connected to every other computer by cable.
  • Hybrid. Two or more topologies are used together.

 

 

 


ฉ Vibrant Worldwide Inc.