Use of credential roaming for user certificates is recommended

Many organizations start using Microsoft certificate services only utilizing computer certificates for services like Wireless, VPN and Web.
The computer certificates reside on both clients and servers.
If you are thinking of using user certificates to validate users, for example for wireless services or client access using VPN, you should consider how the life-cycle of the user certificates is being handled. It is easy to get domain joined users enrolled for a user certificate and as long as they only use their own computer (typically a laptop), they will only have one user certificate.
However if they log in on another domain joined computer, they would normally get issued a new user certificate that will reside only on that computer. This means that a user will get multiple certificates issued on multiple computers. Technically, the users will be validated without problems as long as the user certificate is used for client authentication and holds the username (UPN) in the certificate. But how will all the (unneeded) certificates be handled in the CA database? Typically they will be in the CA database and noone thinks of revoking those that are not needed.
Credential Roaming can address this issue. Credential Roaming is able to copy users certificates including private keys from one computer to another. This is done through AD and is integrated with auto-enrollment, so that the auto-enrollment will wait for credential roaming to finish, before a new certificate is being enrolled.
Credential Roaming is nice to have implemented in order to get a more consistent and clean CA installation.
In situations where user certificates is used to encrypt and sign certificates, it gets even more important that a user only has one certificate.
So for example, when talking about S/MIME, Credential Roaming becomes almost a must.
You may have seen my other blog entry where I mention that Credential Roaming has problems when being used together with EFS and offline files. This however is not a problem with Credential roaming itself. Credential roaming for S/MIME and handling of other user certificates works fine and it is recommended to implement this feature. Both Windows XP SP2+ and Windows Vista is supported on the client side. You may need a schema update, depending on status of your AD environment.
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s