What reasons would you not want to set the option below for user certificates? Do not automatically re-enroll if a duplicate certificate exists in Active Directory

Please ask in Security forum: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsDon't be a prick ! Be reasonable and provide your feedback. Say something whether the suggestion was helpful or not, mark a reply as answer or click on to vote helpful if any suggestion really helps you, don't leave that choice to moderators, let the credit go to a contributor who has invested his precious time on your questions. Please be informed that, moderators are also humans and they also make mistakes ;-) Last but not the least, Unmark as answer if any post doesn't answer your question/s !!!

What reasons would you not want to set the option below for user certificates? Do not automatically re-enroll if a duplicate certificate exists in Active Directory

cheers

Link to the new thread: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b1c62dce-ddfa-4ec2-b442-a403e67bd334/#b1c62dce-ddfa-4ec2-b442-a403e67bd334 This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi dwelldon, actually this is a very good question. Usually there is no need to publish authentication certificates to AD, so this option would not help here at all. For EFS and Outlook S/MIME you want publish the encryption certificates so that the sender can encrypt the e-mail. If your user logs on to multiple machines he is getting a new certificate (including private key) if autoenrollment cannot find a certificate in the Windows profile. In this scenario the user cannot read encrypted data because the data was encrypted to another public key. I never had a real world scenario for publishing certs to AD and not activating this option. Regards, Lutz

Hi Dwelldon, Thanks for posting in Microsoft TechNet forums. If the Do not automatically reenroll if a duplicate certificate exists in Active Directory is enabled, autoenrollment will not enroll a user for the certificate template, even if a certificate does not exist in the users MY store. Active Directory is queried and determines if the user should be enrolled. This is an extremely valuable feature for users who do not have roaming profiles and log on to multiple machines. Without this setting and without roaming profiles, the user will automatically be enrolled on every machine that is logged on to (including servers). Here are two articles for your reference: Configure Certificate Publishing in Active Directory Domain Services http://technet.microsoft.com/en-us/library/cc730861.aspx How Autoenrollment Works http://technet.microsoft.com/en-us/library/cc787781(v=ws.10).aspx Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi Dwelldon, Thanks for posting in Microsoft TechNet forums. If the Do not automatically reenroll if a duplicate certificate exists in Active Directory is enabled, autoenrollment will not enroll a user for the certificate template, even if a certificate does not exist in the users MY store. Active Directory is queried and determines if the user should be enrolled. This is an extremely valuable feature for users who do not have roaming profiles and log on to multiple machines. Without this setting and without roaming profiles, the user will automatically be enrolled on every machine that is logged on to (including servers). Here are two articles for your reference: Configure Certificate Publishing in Active Directory Domain Services http://technet.microsoft.com/en-us/library/cc730861.aspx How Autoenrollment Works http://technet.microsoft.com/en-us/library/cc787781(v=ws.10).aspx Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Many thanks for the replies, I will have a read of the articles.

Hi Dwelldon, Just check to see if you would like further assistance regarding this issue. Please feel free to let us know if there is anything else we can help. Have a nice day. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi Dwelldon, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the information should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.