HiI have an Enterprise Issuing CA hosted on the domain controller (say Domain A)and got it issuing machine certificate using autoenrolment.Now when I remove the client machine (Win XP SP2) from the Domain A, the root CA certificate of Domain A is automatically removed from the Trusted Root store. I have checked with group policy settings and everything is correctly configured.I would like to know if this is the behaviour of Win XP or something else.Thanks ... Santosh.

Hi,Yes this is what the behaviour should be. It's working as the way it should.When you configure AutoEnrollment Policy to provide the Machine Certificates to the Client Computers, automatically the CA Certificate is pushed into the Trusted Store of the Client whenever the Client Machine boots up and gets the Enrolled Certificate. Now when you have removed the Client Computer from theDomain, the Policy is no longer hitting the Machine and so the Certificate is no longer there.However if you manually put the Root Certificate in the Trusted Store of Client Computer then it won't go away on it's own.Hope that clarifies your doubt.Revert back if you have any queries.Thanks.

Thanks a lot Sloth it does make sense.Pertaining to this I have couple more queries.1) When I log off the client computer, willthe root certificate still be there in the root store orbe removed ?2) Does the removal of certificates only apply to root certifcates ? ie., Everytime the same client computer joins the domain, does the machine certificate gets re-enrolled ?Lastly, is there any way of stopping Windows removing the root certificates even after detaching from the domain.Thanks ... Santosh.

Hi,Apart from the Certificates that comes through Microsoft Updates and the ones that you have manually installed, rest Certificates which comes through Group Policies are likely to go away (I haven't tested that though : )). Auto Enrollment can be configured for Machines as well as Users. Users get the Certificate at the time of User Logon and Machines gets the Certificate upon Reboot when the Machine Policies are applied. If a User logs on to 3 different Machines then he will get three Certificates from the same Template but the Key Pairs on all the Computers would be different.If the AutoEnrolled Certificate is Revoked or Superceded from the CA, it is removed from the User Store at that instant however the Expired Certificate is not Removed unless a new valid Certificate is issued. Default time of AutoEnrollment Policy Refresh is 8 Hours.Whenever a User or Machineis Enrolled a Certificate, an Attribute called 'UserCertificate' or 'MachineCertificate' is populated accordingly in AD. This Attribute contains the Hash Values of the Certificates held by the Entity.You can see that from Adsiedit.msc under the User/Machine Properties. When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine; for example, root CA certificates, cross-certificates, and the NTAuth container. The autoenrollment process also downloads certificate templates from the forest and caches the list in the registry at the same time.Yes if you Re-Join the Machine to the Domain then the Certificate will be Enrolled again as per the Group Policy configured for the Machine. However if a User Logs off and Logs back in again then the Certificate is not enrolled again because User might have Encrypted many files using that Certificate and if a new Certificate is Enrolled then he won't be able to Decrypt the Files. (Design is not that bad afterall :))But yes, if the User Certificate is Expired then a New one would be given. Hope that clarifies most of your doubts. Revert back if you have any queries.Thanks.

Well ... you have answered most of my queries."When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine"Does the local certificate store reflect the certificate store ofactive directory ? Does itmean thatthe client localcertificate store will contain all the certificates of the Active Directory ?"The autoenrollment process also downloads certificate templates from the forest and caches the list in the registry at the same time."What is the need for the certificate templates tobe downloaded from the forest ? Becausein another scenarios when weenroll offline, theclient computer does not have any templates downloaded. It just uses theWindows CSP to generate thecertificate request. (Please correct me if wrong).Does re-booting (not re-joining) the machine triggers re-enrollment of machine certificates ? If not then, everytime the machine starts up, the policy checks for machine certificates. If there are no machine certificates it enrolls for one, if there is already a machine certificate, it should not re-enroll. Please correct me if I am wrong.There is a scenario where I need to issue machine certificates for all the laptops who are members of the domain. These laptops later need to join the domain through RADIUS server (VPN connection). The server authentication fails in the client end because the client machine is not trusting the RADIUS server certificate's root certificate. The reason is client machine does not have the root certificate in its store (root certificate is removed once logged off the domain). How do we resolve this situation because of the root certificate removal feature ?Hope I am not over questioning, but this is the actual problem I am facing.Thanks in advance.Santosh

Not at all....Even i am enjoying running my Brain on this :)-- Ok coming to your first question... No the Local Computer Store does not reflect the Active Directory Store. That's completely a different Store.It just downloads the CA Certificates as it requires to Trust them.-- Again you are right Windows CSP is usedto generate theCertificate Request but again it needs to Access the Template using which the Certificatehas to be created.Until and unless the Template Information is not there theRequest cannot be created.You might have done modifications in the Template and so AutoEnrollment Process allows you to Cache the same information so that if next time you don't have access to Template or may be the Template is corrupt in AD, still it can process the Request of AutoEnrollment using the Cached Informationbecause eventually all it needs to know is which Template is allowed to be Auto Enrolled.I hope i am right on this. Also as i said that the AutoEnrollment Policy Referesh Interval is 8 Hours. Now don't you think it would be a good design that the Refresh takes effect without affecting or querying the Active Directory. (In such case the Cached Information can be used)-- See Rebooting ofcourse will trigger the Group Policy Engine to check for AutoEnrollment but if the Client Machine already has a valid Certificate in the store, it should not re-enroll a New Certificate because then i would call it a bad design. Because if it holds True for Machine Cert then it would be True for User Cert as well and in such case everytime a User logs off and logs in he will get a New Cert and that is not a good thing because then it will cause issues in Decrypting the files that were Encrypted using the previous Certificate. So, 'No' till the time Machine has a Valid Cert in the Store, new Cert is not given. This only occurs if the current Cert is expired.-- Lastly, in order to resolve your issue you can manually put the Root Cert in the Trusted Computer Stores of the Machine and i don't think that it will be wiped off once you make the Machine a part of the WorkGroup. (Please try it with one machine and then let me know if it works)Currently i am not getting time to test it at my end but will get back to you soon on this. Till that time please check it and also let me know the same.I hope i was able to clarify some of them atleast :). Waiting for more Brain Twisters :)Thanks.

Thanks for your answers to my brain twisters...Just a quick one ... If I unjoin a client computer from the domain, I guess the client computer object in the AD gets deleted. I would like to know whether the certificate associated to the computerobjectgets deleted as well or doesnt gets deleted or revoked ?Bymentioningunjoin, I mean I join another domain.Thanks ... Santosh.

Thanks for your answers to my brain twisters...Just a quick one ... If I unjoin a client computer from the domain, I guess the client computer object in the AD gets deleted. I would like to know whether the certificate associated to the computerobjectgets deleted as well or doesnt gets deleted or revoked ?Bymentioningunjoin, I mean I join another domain.Thanks ... Santosh. There is no automatic revoke of the certificate. The certificate will remain in the certificate store of the computer. You would need to define workflows (processes) for revocation of certificates when a computer is removed from the domain if you see this as an act vector. Of course, if you wipe the drive, this would delete the certificate, rendering the need to revoke the certificate as moot.Brian

Hi BrianI am not sure if I have interpreted your response correctly. Please confirm the below statement.If I unjoin the computer from the domain, the computer object in the Active Directory is deleted. But the machine certificate associated with the computer object still remains in the certificate store of the "active directory". Of course the certificate is not deleted from the computer certificate store.ThanksSantosh.

Hi,Yes once theComputer isunjoined from the Domain, itis deleted from Active Directoryand all the Attributes associated withit also gets deleted. Remember, i was talking about 'UserCertificate' and 'MachineCertificate'Attribute, that also gets deleted.Also when you re-join the Machine to the Domain then a new SID is assigned to the Machine and so the Old Certificate should be of no Use. However you will have to check if the Certificate also gets deleted from the Local Computer Store upon unjoinbecause i have not checked it yet. Let me know what you dig out of it ?Hope installing the Certificate manually on the Machines helped you resolve your issue ?Thanks.Nitin