Autoenrollment Functions

Applies To: Windows Server 2003 with SP1

This section discusses various functions performed by the autoenrollment process on Active Directory domain-joined machines.

Download of Active Directory Certificates and Trust Objects

Autoenrollment automatically downloads and manages trusted root certificates, cross-certificates, and NTAuth certificates from Active Directory into the local machine registry for domain-joined machines. All users who log on to the machine inherit the trust and downloaded certificates that are downloaded and managed by autoenrollment.

Deleting Expired and Revoked Certificates

Autoenrollment deletes expired and revoked certificates in the userCertificate attribute on the user object in Active Directory. This feature can be enabled through user or machine Group Policy to help ensure that only valid and active certificates are used for encryption operations.

The exit module on the Windows Server 2003 CA also helps to manage the user account in Active Directory, but only deletes expired certificatesit does not remove revoked certificates due to performance reasons. In general, there is no value in publishing a signing certificate to the user object in Active Directory, except for purposes of record-keeping.

Managing User Certificates in the CryptoAPI MY Store

Certificates in the users local MY certificate store may also be managed through the autoenrollment process. On a per-template basis, autoenrollment can be enabled to delete expired and revoked signature certificates. Encryption certificates and keys are never automatically deleted. However, autoenrollment only manages certificates that correspond to certificate templates defined in Active Directory that contain the certificate template extension. This feature is enabled by setting this policy on the Request Handling tab in the Properties of a given certificate template (Figure 15).

Art Image

Figure 15: Managing Certificates

If the Delete revoked or expired certificates check box is not enabled, autoenrollment will archive all expired and revoked certificates in the users MY store. As mentioned previously, this setting does not affect the userCertificate attribute in Active Directory for the user object.

Note

This feature is only enabled with encryption keys, not signature key types, which are not normally published to Active Directory.