Hello again, I have started some initial rollouts with EAP-TLS (user and computer certificates) based wireless 802.1x access. I have two types of users: one group of users do not have roaming profiles and the otehr group of users have roaming profiles. My assumpption is that we have one to one relationship between laptop and user. The users without profiles have been using the new EAP-TLS based wireless 802.1x access without problems. However, some users with roaming profiels have reproted that they can get wireless access if their laptops are connected with LAN and then the wireless access works for rest of day. But it does not work if they try to logon via wireless. I investigated with one case. And I found that a user had her certificate on her laptop - it was verified last week via MMC > Certificates - Current Account > Personal > Certificates. But today, she reported a problem "Windows unable to find certificate ..." message. When I checked on her laptop, her certificate is not available on her laptop anaymore. I know that users without roaming profiles will have their user certificates stored on local laptops but users with roaming profiles may be not. What should I exclude from the roaming profile such that users will have certificates on their laptops? Thanks, SJJ123

As far as I understand, you need to setup Credential Roaming Service:http://support.microsoft.com/kb/907247http://technet.microsoft.com/en-us/library/cc700815.aspxhttp://www.sysadmins.lv

Hi Vadims, I have already enabled the Public Key Policies/Certificate Services Client - Credential Roaming Settings setting. I have also inculded old style setting: Administrative Templates/Certificate Services Client/X.509 certificate and key roaming . Both are with same parameters: Maximum tombstone credentials lifetime in days: 60 Maximum number of roaming credentials per user: 2000 Maximum size (in bytes) of a roaming credential: 65535 My AD domain has been extended with Windows Server 2008 schema even though it is running in Windows Server 2003 native mode. But my user msPKI... seetings for above are <Not Set> in ADSIEDIT.MSC. Thanks, SJJ123

Hello, I have found out that my problem may be related to the Published Certificates tab in the user account's properties. Some wireless users have their certificates in the above tab but other wireless users have nothing in the tab even though same GPOs have been applied. For the certificate template I have used, the certificate template is configured with tick on Publish certificate in Active Directory but not tick on Do not automatically reenroll if a duplicate certificate existis in Active Directory . Any idea? Thanks, SJJ123

You do not need to publish the certificates for wireless 802.1x access - publishing the certificates will slowly bloat your AD database and should only be used for certificates that are intended for encryption. From your problem description where the users are able to log on if connected to the LAN it sounds like the failing part is the machine certificate - not the user certificate. The computer account is able to authenticate against your AD if it gets a network connection via the LAN and once it is authenticated the users are able to switch to the WLAN without problems as the user has already authenticated. The machine account has its own certificate store that is not part of the roaming profile - the roaming profile only contains per-user certificates. For the machine account to be able to authenticate against your WLAN it needs to have a computer certificate in it's personal store. I.e. make sure you have enabled autoenrollment for the computer accounts (via permissions on a published certificate template) and that the laptops enroll for it while connected to the LAN (use mmc.exe, add Certificates and choose to manage the Computer account and the computer accounts personal store).