We have Windows 2008 ADCS configured. Trying to use certificate for Wifi EAP-TLS authentication. Auto-enrollment is enabled for active directory group "WiFiUsers" and working fine. "Do not automatically re-enroll if a duplicate certificate exists in Active Directory" option is ENABLED in "Copy of User" template and permissions are given correctly. Q1. What happens if a laptop is formatted (rebuilt) and system does not find a valid certificate in "MY" certificate store? Will the user be automatically given a certificate from AD certificate store when system tries to re-enroll OR does the administrator needs export the certificate and send it to user? Q2. A user works on multiple computers, say PC1 and PC2 and he is issued a certificate while working on PC1. Later user logs on to PC2 and wants to use certificate to connect to wireless. Will he be issued same certificate from AD or does he need to export/import the certificate? Q3. Is it possible that when I remove a user from AD group "WiFiUser" (which is being used in this scenario), his certificate is automatically revoked? If not, is there a way to automate this process - via a script or something (in our organization, we are not using certificates for any other purpose and do not need to keep the certificate)? Q4. We need to issue certificates for non-domain devices (wireless printer). What kind of certificate should be issued? What value should be given in the "Subject" filed? Is it possible to issue certificate to non-domain device based on MAC authentication? Please provide any link on this topic if possible.Manoj

1) depending on template settings a user may obtain new certificate. 2) see above. 3) you will need to script this process. However it is not easy.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Can you please elaborate on the settings I need to do, or please provide any link.Manoj

In the template properties, you need to check 'Do not automatically reenroll if a duplicate certificate exist in Active Directory' checkbox. If it is enabled, a new certificate will not be issued, if a user changes his/her PC, or a computer was reinstalled.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

In the template properties, you need to check 'Do not automatically reenroll if a duplicate certificate exist in Active Directory' checkbox. If it is enabled, a new certificate will not be issued, if a user changes his/her PC, or a computer was reinstalled.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Anyone please suggest on Q3 and Q4. Thanks in advance.Manoj

Q3. Is it possible that when I remove a user from AD group "WiFiUser" (which is being used in this scenario), his certificate is automatically revoked? If not, is there a way to automate this process - via a script or something (in our organization, we are not using certificates for any other purpose and do not need to keep the certificate)? Q4. We need to issue certificates for non-domain devices (wireless printer). What kind of certificate should be issued? What value should be given in the "Subject" filed? Is it possible to issue certificate to non-domain device based on MAC authentication? Please provide any link on this topic if possible. Q3: This is not that easy. You would need to indicate that a user has been removed from group for a script to process. I suggest you create a shadow group called Wifi-to-be-revoked and move the user that should be revoked to this group. Afterwards you need to lookup a serial number from CA database to the corresponding user. You can do this either using certutil or Powershell (see for example Vadims ADCS Powershell pack http://pspki.codeplex.com/wikipage?title=Revoke-Certificate). However be sure that you revoke a correct certificate (be sure to restrict templates during the search as well as unique user identifier). Finally after revoking the certificate user can be removed from the Wifi-to-be-revoked group. Q4: I guess that a server certificate would suite your wireless printer, but I really cannot tell if you do not provider more details. I guess that subject should be the DNS name. And you cannot issue certificate to a non-domain device based on MAC authentication. Kind regards Martin Rublik

Q3. Is it possible that when I remove a user from AD group "WiFiUser" (which is being used in this scenario), his certificate is automatically revoked? If not, is there a way to automate this process - via a script or something (in our organization, we are not using certificates for any other purpose and do not need to keep the certificate)? Q4. We need to issue certificates for non-domain devices (wireless printer). What kind of certificate should be issued? What value should be given in the "Subject" filed? Is it possible to issue certificate to non-domain device based on MAC authentication? Please provide any link on this topic if possible. Q3: This is not that easy. You would need to indicate that a user has been removed from group for a script to process. I suggest you create a shadow group called Wifi-to-be-revoked and move the user that should be revoked to this group. Afterwards you need to lookup a serial number from CA database to the corresponding user. You can do this either using certutil or Powershell (see for example Vadims ADCS Powershell pack http://pspki.codeplex.com/wikipage?title=Revoke-Certificate). However be sure that you revoke a correct certificate (be sure to restrict templates during the search as well as unique user identifier). Finally after revoking the certificate user can be removed from the Wifi-to-be-revoked group. Q4: I guess that a server certificate would suite your wireless printer, but I really cannot tell if you do not provider more details. I guess that subject should be the DNS name. And you cannot issue certificate to a non-domain device based on MAC authentication. Kind regards Martin Rublik