Vadims Podāns
Vadims Podāns 13.10.2020 15:53 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 3)

> And how much will it grow eventually and is crendential roaming a best practise for 802.1x authentication?

in reality, it is about 2-3KB per certificate. For 4k users it will be about 10MB of roaming data. In future it will grow, when users get renewal certificates. Though, the growth isn't permanent, because expired tokens will be deleted. In other words, there will be an impact in AD size and replication bandwidth, but not in compute resources (CPU, memory, disks) even with entry level modern hardware.

For more details check the AskDS article: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/certs-on-wheels-understanding-credential-roaming/ba-p/395897

shardul
shardul 13.10.2020 15:18 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 3)

Hi Vadmin,

Hope you are doing good !

I am enabling autoenrollment for user and computers with credential roaming for 802.1x authentication. What is the impact on ActiveDirectory for 4k users and machine respectively? And how much will it grow eventually and is crendential roaming a best practise for 802.1x authentication?

 

Hazewindus
Hazewindus 08.10.2020 13:06 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 2)

Good to read this document...but still have issues with CES/CEP and KBR autorenewal. Have an issuing Root CA and one server with both CES/CEP installed as per below:

GPO assigned policyservers:

CES/CEP(prio 1) - certificate based authentication with KBR - should be used when triggering renewal AND certificate is present.

CES/CEP(prio2) - username/password with KBR enabled - should only be used on initial certificate deplyment

When I iniitially request a certificate I have to provide a username and password (since i dont have a cert yet) and request the certificate based on the prio2 policy. Once enrolled and directly renew with the same key (certmgr GUI), it provides me the option to renew the certificate without prompting for credentials whatsoever and renews (policycache is present). When I follow this up and do this scipted works as well and show that the certiifcate based authentication CEP is renewing the cert.

Then I purge the policycache by "certutil -f -policyserver * -policycache delete"....and run the script to renew the certificate again...ERROR...."content was acquired as silent" meaning there is some popup in the background?  This is because the policycache is empty and no credentials are present. Would expect that the present valid client certificate is automatically used based on the prio1 policy and added to cache again, but no such!!! To correct the situation I need to start the GUI certmgr again, and perform the renew actions up to the point of selecting the certificate and cancel. Now the cache is populated again, because the certificate was used to authenticate (hence no popup for username/PW). Now when I run the script again it works, because there is a policycache again.

The script is a simple powershell that checks for expiring certificates within 2 days. When found the thumbprint is used to renew by:

"certreq -machine -q -enroll -cert $certificate.thumbprint renew reuse"

Since the policycache only lives for 8 hours this means that KBR breaks after 8 hours!!! This means that 1y valid certificates will fail renewal. This is driving me nuts!!!

If have seen more people with this problem but  a clear solution was never found or posted..

 

 

Vadims Podāns
Vadims Podāns 24.09.2020 10:25 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 2)

> How can I clean up certificate repository in the client computers for older weaker certificates.

you have to manually delete them. For example, run a script that will lookup for certificates based on old template and delete them.

Jobish George
Jobish George 24.09.2020 10:09 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 2)

Hi Vadims,

I had created a workstation Authentication certificate template for auto enrollment. I have enabled auto enrollemnt using GPO. It all worked as expected. client computrers got certificates auto enrolled. Later I found that I am using a weaker encryption algorithm which is SHA1. In order for the application that requires this client certificate for signing, it requires SHA256. So I changed the encryption algorithm to SHA2 and regenerated the CA Root certificate.

Now I have created a new workstation Authentication certificate template to get SHA2 certificate. It works all as expected. Unfortunately I deleted the older workstation Authentication certificate template for SHA1. How can I clean up certificate repository in the client computers for older weaker certificates.