Active Directory 2008: Certificate Services Autoenrollment Facts…

Autoenrollment Facts

With autoenrollment, certificates can be requested, issued, or renewed without user intervention. Autoenrollment automatically downloads and manages certificates from Active Directory into the local machine registry for all users who log on to domain-joined machines. Autoenrollment also manages certificates for user objects in Active Directory by deleting revoked and expired certificates.

Autoenrollment can only be configured for version 2 certificates, which means that you also need a Windows 2003 or better CA. Configuring autoenrollment requires the following steps:

  1. Edit the certificate template. If the certificate   template is a version 1 template, duplicate   the template to make it a version 2 or version   3 template. This allows you to configure   the Autoenroll settings.
    • Grant users or computers the Read, Enroll,     and Autoenroll permissions.
    • On the Request Handling tab, make sure that the Enroll subject     without requiring any user input option is selected to allow enrollment without     prompts. (This option is automatically deselected     for smart cards, and the Prompt for user action option becomes the default option to allow     users to input their personal identification     numbers.)
    • On the Subject Name tab, make sure the Build from this Active Directory information option is selected. Selecting the Supply in the request option requires the user to manually specify     the certificate subject name.
    • Do not require multiple signatures for certificate     approval. Multiple signatures require manual     approval. Certificate requests will be in     a pending state until the necessary signatures     are obtained.
  2. Publish the certificate template on the CA   (issue the certificate template).
  3. Edit Group Policy and enable autoenrollment   for computers, users, or both. Within either   Computer or User Configuration, browse to   \Policies\Windows Settings\Security Settings\Public   Key Policies and configure the Certificate Services Client – Auto-Enrollment policy.
    You can also configure whether certificates   are automatically renewed or updated. If   automatic renewal is enabled:

    • You can force users to re-enroll for a certificate     template by updating the templates version     number. During logon, when autoenrollment     queries Active Directory for required     templates,     the autoenrollment process examines the     template     version number. If the certificate number     has incremented, users must re-enroll.
    • To increment a template version number, right-click     the template and select Reenroll all certificate holders.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s