Automatic assignment of client certificates by a Win2k domain
I saw Mark Manasi at a security seminar in Chicago. He mentioned that you were a good buddy of his. My question has to do with using Certificate Server. Mark mentioned that 2003 Certificate Server and XP clients are automatic when joining the domain. Can I have a 2000 Active Directory domain, set up a 2003 Certificate Server, do an XP rollout and have the certificate automatically get assigned? He mentioned that if you implement Certificate Server after the clients are part of the domain, there was no easy way of installing the certificate on clients, unless you're installing them one by one. I am not sure what's involved in upgrading my Active Directory to 2003 and don't know enough about it to make the switch right now -- that's why am wondering if can it be done with a 2000 AD infrastructure.
Auto-enrollment of USER certificates requires a Windows Server 2003 Active Directory environment and a Windows Server 2003 CA. However, if this condition is met, and certificates are designed for auto-enrollment, Windows XP clients can trigger auto-enrollment using the certificates snap-in, but what degree of user involvement is required will depend on the type of certificate and how it has been configured. For example, an auto-enrollment certificate meant to be stored on a smart card will prompt the user to insert a smart card. Until the user does so, the certificate is not "auto-enrolled." On the other hand, an Encrypting File System (EFS) certificate might be automatically created and retrieved with no user involvement the first time the user attempts to encrypt a file.
This was first published in July 2003