I've been responsible for setting up a PKI using Certificate Services to be used for Wireless Authentication. I've created I guess what you'd call a "stock standard" two-tier hierarchy based on Windows Server 2008 R2. I have a Standalone Root CA, which has issued a Root Certificate to an Enterprise Subordinate CA (the issuing CA) - this second server is Enterprise Edition. I've duplicated both the Computer and User templates (using Server 2003 Enterprise Templates) and for the respective certificates I have enabled READ, ENROL and AUTOENROLL permissions for Domain Computers and Domain Users groups. I've enabled these two templates for issuing and removed all others (not completely, just from issuing). I've then created a GPO which is ONLY enabling the Autoenrollment of the certificate (one GPO for computer, one for user). These are only linked to test OUs with one computer and two users. The computer I am testing on is a Windows XP SP3 computer in the domain (same domain as the CAs). The computer certificate I created has correctly issued a single certificate to this PC (and re-issued another certificate after testing revocation). All happy with this. BUT - the user account I have been using to test seems to be generating multiple certificates for a single user. I believe some of this has happened cause I've used this user to log into machines that the computer certificate GPO is not applied to (so another computer cert, but not another computer cert). But 2 certificates were issued in the middle of the night when I was not around. When NO ONE was around. So, I wanting to ask two things: 1. Is it OK for the CA to show multiple user certificates for the same user based on it having actually logged into multiple machines (certificate template says to store in AD)? 2. Is there anyway to tell where the request for these user certificates came from? i.e. maybe someone has used the account for some service or something like that. I hope this is somewhat clear. Certificate Services installations is not something that you do very often, so I've not really had a lot of experience with it (yet!!). Hoping someone might have some ideas. Thanks Matthew

Hi, #1, the behavior may occur if the user logon multiple computers because the user certificate is stored in the local user profile by default. You can select the Do not automatically reenroll if a duplicate certificate exists in Active Directory check box on the General tab of the certificate template and check if it can meet your requirement. "Without this setting and without roaming profiles, the user will automatically be enrolled on every machine that is logged on to (including servers)." For more information, please see http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx #2, enabling CA auditing may meet your requirement. http://technet.microsoft.com/en-us/library/cc758154(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

1) you should carefully use Joson's mentioned option. If you select this option user may not perform his/her required task, for example authenticate to VPN and/or IIS, perform file encryption and so on. For a users who log on to multiple computers I would advice to implement smart cards. This allows to use the same certificates on multiple computers. 2) you don't need to enable audit, because it is not easy to find event log for certain request. This information is registered in the CA database. Open Certification Authority MMC snap-in, select Issued Certificates node. Click View -> Add/Remove columns and add Binary Request column. After that click on on the request, click Action -> All Tasks -> Export binary data. In the drop-down list select Binary Request and click Ok. You will need to find Client Information section that looks like as this: Attribute[0]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[0][0]: Unknown Attribute type Client Id: = 5 ClientIdDefaultRequest -- 5 User: domainname\administrator Machine: gw.domainname.com Process: MMC.EXEhttp://en-us.sysadmins.lv

Another option is to install and configure Credential Roaming Services. CRS will allow software-based certificates to follow the user as they log on to different computers. CRS stores the user's software certificates and private keys within their user object in AD. When the user logs on to a new system, the certificates and private keys are download to the new computer, before any autoenrollment actions take place (preventing new certificates from being issued). CRS will also protect against a user's profile being deleted http://technet.microsoft.com/en-us/library/cc700815.aspx Look into it! Brian