Wednesday, March 06, 2013 2:48 PM
I recently completed implementation of credential roaming in my environment, primarily for 802.1x Wireless Authentication.
We've had some new laptops join the domain and found that the user's certificate from Active Directory is not being imported into the local user certificate store on these new computers. I have tried:
- certutil -pulse, which did not import the user certificate into the local store.
- revoking the existing user certificate on the CA and deleting the certificate from the user object in Active Directory. User now has no certificate, and logoff/logon does not generate a new one.
I know that the policy applies because the new computers have a computer certificate.
So I have some immediate questions:
1. Is there a easy way to import the user certificate in Active Directory to the local certificate store on the computer?
2. What methods can I use to troubleshoot the enrollment for the new user certificate?
3. In some cases, a user's local profile was backed up from their old computer and restored to the new one. Would this process also restore the user's personal certificate profile? Where is this content within the user's profile?
Thanks in advance for your guidance.
Wednesday, March 06, 2013 11:49 PM
Turns out my problem was not related to Certificate Services at all, but with a security filter change to the Auto Enrollment Group Policy Object.
Domain Users was removed from the security filter, so credential roaming settings were being filtered out. This also prevented new users from auto enrolling for certificates. Once I added Domain Users back to the security filter, credential roaming began to work as it should.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Thursday, March 07, 2013 3:37 AM
Thursday, March 07, 2013 3:37 AMModeratorThanks for sharing your experience and solution.