I've installed an Enterprise Root CA for a customer, we have a problem whereby remote users who log on initially with cached credentials then make a VPN to the network aren't getting the new CA certificate propagated to their certificate stores. When logged on with cached credentials they are able to "transparently" connect to domain resources (suggesting that silent Kerberos re-authentication is fine). but try as I might with gpupdate and certutil -pulse the new CA certificate is not getting copied to the machines. I know that the group policy engine is used to propagate the certificates, I'm imagining that the problem is that it is the "computer" GP processing that is being used and therefore even silent kerberos authentication after a cached logon won't help. Strange thing is I could have sworn I've seen this work before! The AD forest functional level is Win2K3 and the clients are XP SP2. Can someone confirm that this "non-replication" is indeed expected behaviour. Thanks, Dave

Dave, did you just publish the certificate in the configuration partition or are you pushing the CA certificate via GPO ?

Hi Alex, It's simply published into the configuration partition (automagically) after installing the Enterprise Root CA. We also tried the sneaky approach of using a GPO (with the CA certificate imported) to push the certificate out to remote computers... but alas, being a computer GPO it doesn't have any effect after logging on at a computer with cached credentials. :-( Cheers, Dave

Hi Dave, are those computers properly joined to the domain ? and what kind of VPN are you running ? The computer policy GPO is able to run in the background as refresh (also if you do gpupdate /force). Just tested on my laptop connected via VPN again The effect of cached credentials is influencing the startup script and software installation.

Hi Alex, The computers are indeed properly domain joined and background re-authentication after logon with cached credentials does allow immediate access to Kerberos protected resources such as file shares, users with suitable entitlement can also use ADUC successfully. We are using a Juniper SSL VPN, but I am assured that it does effectively provide a "full network connected" experience and the silent Kerberos re-authentication seems to confirm this. Given that you have seen computer GPOs running in the background on your laptop after a cached logon I shall now do further investigation (and perhaps be a little more patient) as you've demonstrated that it clearly should work. Kind regards, Dave