User certificates - Part III
amongst of discussion in previous thread user autoenrollment certificates 802.1x (https://social.technet.microsoft.com/forums/windowsserver/en-us/53be440f-4b12-4147-b9c7-44de2594cd25/user-certificate-autoenrollment-personal-store-questions?forum=winserversecurity), believe muddied waters.
backstory:
i had 1 user autoenrollment certificate each user (duplicated user template, configured per settings in https://technet.microsoft.com/en-us/library/cc770857.aspx , few company requirements - signature , encryption configuration, while publishing in ad, not select "delete revoked or expired certificates (do not archive)" option on request handling tab) on our original ca (was single enterprise online root ca). moving two-tier pki, utilizing methods in http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx. new pki brought up, , did "reenroll certificate template holders" our computer autoenrollment certs , worked fine, replacing computer autoenrollment certs original root ca ones new pki.
returning current state of things user autoenrollment certs...as in previous thread in link @ top, worried user certs not being in personal store of every computer user logged on when using multiple computers, "do not automatically reneroll if duplicate certificate exists in active directory" option being turned on. decided uncheck that, thought accept user account having multiple certificates, because @ least show in personal store of every computer logged on to. did because under impression 802.1x did not support credential roaming, , was pointed out being false in previous thread.
i decided go having 1 user certificate, , enable credential roaming. re-enabled checkbox "do not automatically reneroll if duplicate certificate exists in active directory". problem @ point, had multiple user certificates issued users new pki (because allowed duplicates). decided revoke of user autoenrollment certs issued new pki idea clean in personal store , in active directory object store left 1 original ca, "reenroll certificate template holders" , 1 original user cert updated new pki.
sooo...i have bunch of revoked (used "cease of operation", can't unrevoke) certificates, still exist in personal , active directory user object stores, , think not going automatically remove when crl hits next interval, because couldn't select "delete revoked or expired certificates (do not archive)" option.
what proper way proceed point to user accounts have 1 user autoenrollment cert before enable credential roaming? have manually delete revoked certs ad? wanted there 1 user autoenrollment cert, because i'm not sure how cisco ise doing 802.1x authentication handle when there multiple user certificates (which 1 use, etc.).
interestingly, checked admin account on server , revoked user autoenrollment certs removed personal store , ad, leaving 1 original ca. however, when checking standard user account on different server, revoked certificates still in personal store , still in ad well. so, went server admin account looked cleaned up, , logged in standard account, , revoked certs gone , created 1 new 1 new pki. ad store had new 1 well.
i guess work way hoping, @ least far!
Windows Server > Security
Comments
Post a Comment