Hi! i tested key archival configuration. i think i know how certificates are stored and where... private keys should be stored in user profile - right? and then it comes standard domain certificates - i.e. for users. how it is possible, that user certificate roam with user from station to station? it means that private key is stored in AD - or where else? but it works even if there is no folder redirection or key archival... can anyone explain to me [or pass a link] how the hell is private key stored in which scenarios? if i will install external cert with private key for a user - should it be automatically roaming with user? what is the purpose of key archive after all - if cert is somewhere in AD anyways, if user lost cert on one comp she may simply logon to other computer... got lost a bit /:-o((: Leliv

This is a probably a good start: http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx The best term to search on is 'credential roaming'. Cheers JJJason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

C'est ca! it's exactly what i was looking for! thx! -o((: Leliv