I've setup a 2-tier PKI, am using Certificate Services Client - Auto Enrollment, with v2 templates to get Windows XP SP3 and Windows 7 workstations enrolled. The template being used has "Publish certificate in Active Directory" and "Do not automatically reenroll if a duplicate certificate exists in Active Directory" checked. Clients and servers are being issued certificates; the problem is that they're being issued multiple certificates from the same template sometimes within minutes of the last one. In a test environment with 5 servers and 20 workstations, over 150 certificates have been issued over 3 days. The Windows XP clients seem to be issued certificates more frequently, but even the Windows 2008R2 servers and Windows 7 clients are being issued multiple certificates. The issuing CA only has a v2 workstation template active. Is this normal?

Are you using credential roaming? The behavior you describe isn't what I would consider normal. I've heard of an issue with Windows Vista when deploying EFS certificates and using credential roaming whereby the client computers end up with a lot of certificates. Not sure if this has any relation to that. It would be helpful if you can take a screenshot of the Certificates MMC showing the issued certificates. Brian

So what point exactly was the answer?

here is my gpo

The problem is that the 2008 CA is using SHA256 for hashing and XP is unable to understand it. Below is the hotfix for XP SP3 Clients with should resolved the issue. http://support.microsoft.com/kb/968730/EN-US download this zip file and install it onto XP sp3 client.