MSPKI: what purpose of certificate in user account in AD?
Please tell what purpose of certificate in user account in AD? Certificate issued by domain CA (Certification Authority) with template Smartcard Logon.
Will be functional correctly Smartcard Logon on PC or VPN Access through VPN Server with this user certificate in case certificate is not present in AD
user account (has not added or has removed)? Certificate correctly has issued by CA and has not revoked. Certificate is not present in AD account only.
July 9th, 2010 11:05am
smart card logon certificates in user account properties can be used for certificate mapping purposes in VPN/IIS/etc. read more:
http://technet.microsoft.com/en-us/library/bb742438.aspx
http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2010 11:22am
Thanks,
Does require certificate in user account for Smartcard Logon to workstation work properly?
July 9th, 2010 2:35pm
On Fri, 9 Jul 2010 11:35:48 +0000, A-mag wrote:
Does require certificate in user account for Smartcard Logon to workstation work properly?
By default, no.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2010 2:46pm
actually this is not required for interactive logon by using smartcards. However this may be required for other scenarios. In other words you always should publish smart card certificate to user account properties.http://en-us.sysadmins.lv
July 9th, 2010 2:48pm
Thank you!
Is there any book or article to read about it?
What another scenarios may require certificates in AD account?
The purposes of certificate "SmatCard User" are: SmartCard Logon, Client Autentification, Secure E-mail.
About SmartCard Logon there are no questions (it works), and how about Client auth and Secure e-mail, is this works without certificate in AD account?
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2010 6:36pm
Hi,
Publishing a certificate in Active Directory enables all users or computers with adequate permissions to retrieve the certificate as needed.
It may also affect the autoenrollment process. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user
object and the requirement will be removed from the list, if successful.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
July 13th, 2010 9:15am