Is it possible to enable Certificate Auto-enrollment without using Windows Authentication / Cross Forest Trust between two forests? Specifically, is is possible to do this using Client Certificate Authentication? Ideally, this is how we would want our system to work 1. CEP/CES set up in Enterprise CA forest for AD Client Certificate Authentication on IIS. SSL and Client Certificate Required. 2. Many-to-One mapping of all certs issued by Enterprise CA to a specific domain user. This user would then have Read, Enroll, Auto-enroll privileges on Cert Templates. 3. CES would also be set up for renewal only. The initial machine certificate would be obtained "out-of-band". 4. The Untrusted Client forest would have the following objects published in its AD: Templates, Template OIDs, Enrollment Service objects. 5. Client domain would validate CEP Policy with the DC's initial cert, which was obtained out-of-band. All client machines would renew themselves through the CES by using their original out-of-band certs as authentication. Any clarification would be much appreciated. Thanks, Pete

Clarification on #5 I have been able to get this step to work "interactively" through the MMC Snap-in (w/o Renewal Only CES). The real question is whether the cert will know it is about to expire and automatically attempt to re-enroll using itself as the authentication.

If i'm not mistaken Win7 and Server 2008R2 can use the HTTP enroll service. This was intended to enroll clients out on the net... I think you can use this, but have to figure a way of authenticating the first time getting the cert...and set so the certificate can enroll based on a valid previous certificate when they expire. In Win7 and w2k8 R2 certificate enrollment is handled through the schedule task service (under the microsoft node). Just a thought :)

Clarification on #5 I have been able to get this step to work "interactively" through the MMC Snap-in (w/o Renewal Only CES). The real question is whether the cert will know it is about to expire and automatically attempt to re-enroll using itself as the authentication. The client should be able to automatically renew the a manually enrolled certificate if you enable autoenroll on the template and auto-enrollment/renewal using GPO or local policies. /Hasain

Won't you need to set the "auto-enroll" privilege on the template for the client machine trying to auto-enroll? How could this be done if the client machine is a non-domain joined machine? This is a step I know can be accomplished with a Cross-Forest Trust, but once you lose the CFT it seems like you lose the auto-enroll functionality with it.

Correct, you need a certificate template with Enroll + Auto Enroll to support auto enrollment. Non-domain joined machines does not implementauto enrollment as of the template dependency. /Hasain

So did you ever get this to work? I have actually set up most of the same as you describe above, with some minor adjustments. Server: 1. CEP with many-to-one mapping on certificates to service account (non domain joined computer cert used to authenticate) 2. CES set with same as above 3. CEP Cert auth is set to only allow renewal. Client: 1. Activated Autoenrollment using local security policy on non-domain-computer So I log on to the computer, get CEP via username and password. Get computer cert via CES using username and password. Bind CEP to cert authentication, and check that the computer reevaluates CEP policy on refresh using computer cert. Tried using a cert with short lifetime, but I cant seem to get autoenroll to detect that the computer certificate needs to renew and trigger enrollment. EDIT: Think I was just being dumb. Cant do autoenrollment with the same certificate that one wants to authenticate with :) After renewal one breaks the credential binding, as the certificate one used for authentication is no more (renewed).