2007 May 07 - Mon
User Certficate Auto Enrollment
With my 802.1x test setup, machine certificates were being sent to domain machines with no problem, but user
certificates were not showing up.
In the group policy object, right on the container housing the users that needed certificates, I set the
auto-enrollment
settings. For some reason things weren't being inherited from the domain default policy. The group policy container is
User Configuration -> Windows Settings -> Security Settings -> Public
Key Policies -> Autoenrollment SEttings. The 'Enroll Certificates Automatically' needs to be checked along with it's two
subsidiary check boxes.
The following command serves as a manual refresh of the policy:
gpupdate /target:user
Enrollment will take several minutes. Running the certmgr.msc mmc snap-in will allow one to check that the certificate
has arrived in
the Personal -> Certificates store.
The Application Event Log will contain success/failure status for the auto-enrollment.
I also found out from an troubleshooting auto-enrollment article, that domain users without email addresses will not
auto-enroll. They don't need an actual email box, just an entry in the email attribute in Active Directory.
As further reference, Microsoft has an article on How Autoenrollment Works. There are other related and helpful articles in the same library section.
|
