Certificate Autoenrollment in Windows Server 2003
Certificate Autoenrollment in Windows Server 2003Published: April 1, 2003  On This PageIntroductionMicrosoft Windows Server 2003, Enterprise Edition introduces the capability to automatically enroll users and computers for certificatesincluding smart cardbased certificates. Using the autoenrollment feature, organizations can manage the certificate lifecycle for users, which includes:
Certificate autoenrollment is based on the combination of Group Policy settings and version 2 certificate templates. This combination allows the Windows XP Professional or Windows Server 2003 client to enroll users when they log on to their domain, or a machine when it boots, and keeps them periodically updated between these events. Automatic enrollment of user certificates provides a quick and simple way to issue certificates to users and to enable public key infrastructure (PKI) applications, such as smart card logon, Encrypting File System (EFS), Secure Sockets Layer (SSL), Secure/Multipurpose Internet Mail Extension (S/MIME), and others, within an Active Directory directory service environment. User autoenrollment minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) for a PKI implementation when Windows XP Professional clients are configured to use Active Directory. Supports Pending Certificate Requests and Certificate RenewalUser autoenrollment in Windows XP Professional and Windows Server 2003 supports both pending certificate requests and renewal features. Requesting a CertificateYou can manually or automatically request a certificate from a Windows Server 2003 certificate authority (CA). This request is held until administrative approval is received or the verification process is completed. Once the certificate has been approved or issued, the autoenrollment process completes and installs your certificate automatically. Renewing a CertificateThe process for renewing an expired user certificate also takes advantage of the autoenrollment mechanism. Certificates are automatically renewed on behalf of the userdependent on the specifications in the certificate template. DependenciesThe autoenrollment feature has several infrastructure requirements. These include:
Note: Autoenrollment Group Policy settings may only be applied when using a Windows XP Professional or Windows Server 2003 computer. Topics Covered
How Autoenrollment WorksThis section discusses how autoenrollment works, including autoenrollment and Winlogon, an analysis of the components of the autoenrollment process, and working with certificate authority interfaces. Key PointsAutoenrollment works best in a Windows Server 2003 Enterprise environment where the Windows XP client is integrated with Active Directory. Only domain-joined machines can use certificate autoenrollment. Although the autoenrollment process does not explicitly look for domain-joined machines, the Winlogon process will not activate userinit.exe unless the machine/user is part of a domain. Autoenrollment TimingThe autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated. For additional information, see Updating Group Policy. Note: Unlocking the workstation does not trigger autoenrollmentonly a full interactive logon or a Group Policy refresh will initiate the Winlogon trigger. The Autoenrollment ProcessThe autoenrollment feature handles all aspects of certificate enrollment, renewal, and certificate housekeepingexcept in the case where user interaction is explicitly defined on a certificate template in Active Directory. When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine; for example, root CA certificates, cross-certificates, and the NTAuth container. The autoenrollment process also downloads certificate templates from the forest and caches the list in the registry at the same time. The last step performed by autoenrollment is user-object cleanup (userCertificate attribute) in Active Directory. Revoked, expired, and superseded certificates are removed from the user object automatically; however, expired certificates are not removed unless a new valid certificate is issued at the same time. Certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously. Requirements ListThe autoenrollment process will then process the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user. The machine and/or user must also have the Read ACE set on the template or the template will not be enumerated. The users or machines MY (personal) store will also be processed at this time to look for revoked certificates, certificates without private keys, time invalid certificates and so on, and add these certificates to the requirements list. For more information on certificate stores, refer to the Microsoft Platform SDK: http://msdn.microsoft.com/library/en-us/security/security/managing_certificates_with_certificate_stores.asp It is very possible that a user may have a certificate in the MY store but not have permissions set on a template access control list (ACL) in Active Directory. These will be processed and added to the list, but enrollment will most likely fail due to the fact that the template permissions do not allow enrollment/renewal at the updated point in time. Items in the requirements list may be removed if an appropriate valid certificate is found in the MY store. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user object and the requirement will be removed from the list, if successful. Note: Checking Active Directory for the presence of an existing certificate associated with the user or machine object can affect performance and may delay autoenrollment processing due to the network and directory requirements for performing this operation. This is because the actual certificates in the userCertificate attribute will be downloaded and examined. When this happens, the directory cannot be queried via Light Weight Directory Access Protocol (LDAP) to simply respond whether a given certificate type exists without downloading and processing the certificates locally. Autoenrollment also manages the CryptoAPI REQUEST store for the user. This process enumerates each pending request in the store and then installs the pending certificate, if possible, from the issuing CA. If a certificate is to be archived or deleted, based on the certificate template rule, it will be processed as follows:
Autoenrollment can be used to retrieve pending requests only for certificates with template information, for example, an initial request involving a certificate template. The autoenroll ACL on the certificate template is not necessary for the autoenrollment process to retrieve a pending certificate request. If the user enrolls via a Web page and the certificate request is pending, autoenrollment will retrieve the pending request for the user. Template supersede rules will be evaluated and appropriate additions and deletions will be processed for the requirements list. For example, if the template says "X supersedes Y ", it means that if you have been told to enroll for X and Y, you really only need X. If you only have Y, you still must get X. This is the last step in rule processing. After it is done, the requirements list is complete. For each template that does not require user interaction, the autoenrollment process will create the requests in the background and submit them to a CA. Once this is done, the requirements list is updated. Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certificate authority to ensure that the CA offering enrollment services is not revoked before performing enrollment. If the CA is revoked, autoenrollment will not send requests to that certificate authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline. If a certificate is issued from the CA, it is installed in the users or machines MY store. If the certificate is pended [specified by the CA Manager approval check box in the Certificate Template Microsoft Management Console (MMC) snap-in], the request information is saved in the REQUEST store. Balloon User InterfaceFor each request that requires user interaction as per the certificate template, the balloon user interface (UI) is invoked.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEExpress Using this key in a normal production environment is not recommended. If it is used, it must be created on a per-user basis. Important: Machine certificates do not support user interaction and should not be configured to require this setting.
Issuing the TemplateOnce a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certificate Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate. The client contacts a CA through a Distributed Component Object Model (DCOM) interface and supplies a security context through DCOM to provide an authenticated request. The default policy module of the Microsoft Enterprise CA enforces certificate profiles and enrollment security as defined by the templates. If the certificate authority is set to pend the request for an administrator or certificate manager to examine and approve, autoenrollment will periodically query the CA during every Group Policy refresh interval for approved requests. Autoenrollment will also re-enroll templates when Reenroll all certificate holders has been set in Group Policy. For more information, see Certificate Renewal. Certificate Authority InterfacesThe following methods are used by the autoenrollment process for contacting and enrolling against a Microsoft Enterprise CA.
These methods can be found in the Platform SDK at http://msdn.microsoft.com/library/default.aspConfiguring the Certificate Templates This section covers how to configure certificate templates and provides a step-by-step example of how to create a new template for the autoenrollment of a smart card. Certificate template permissions are also explained. Key PointA version 2 certificate template must first be created in Active Directory to enable autoenrollment. Default SettingsThe following are default settings.
Note: Only a domain with the Windows Server 2003 schema will support version 2 templates, and only a Windows Server 2003, Enterprise Edition or Datacenter Edition certificate authority may issue a version 2 template certificate. Creating a New Template for the Autoenrollment of a Smart CardTo create a new template for autoenrollment of a smart card
Note: The Autoenrollment column will automatically indicate if a template is suitable for autoenrollment. The user will not be able to change the status. If a template has more than one registration authority (RA) signature required or if the subject is supplied by the requester, autoenrollment will not be allowed. The column does not reflect the state of the autoenroll ACL on the template. Important: A smart card that has been issued on Windows XP client or Windows XP Enrollment Station (RA) might only be compatible with a Windows XP client. The compatibility varies between various smart card and CSP vendors. If you need to be able to log on to both Windows 2000 and Windows XP, see your smart card and CSP vendor for additional information. Certificate Template PermissionsFor a user or computer to enroll for a certificate template, it must have appropriate permissions (ACEs) set on the template in Active Directory. A user or computer must have both Enroll and Read permissions to enroll for a selected certificate template.
Configuring an Enterprise CAThis section shows how a Microsoft Enterprise CA must be configured to issue a certificate template after it has been created. How to Configure an Enterprise CATo configure an Enterprise CA
Configuring Group PolicyThis section shows how to configure the Group Policy settings for a site, domain, or organizational unit (OU). How to Configure Group PolicyGroup Policy settings for a site, domain, or OU must be configured to enable certificate autoenrollment in a domain. To configure Group Policy
User AutoenrollmentThis section illustrates manually pulsing autoenrollment and smart card enrollment. Key PointsUser autoenrollment for a smart card requires mandatory manual steps and user interaction, unlike other certificate types. Once autoenrollment has been enabled, the user will receive an informational balloon on the taskbar at the next Group Policy pulse interval (default of eight hours) or at the next logon. Manually Pulsing AutoenrollmentAutoenrollment may be pulsed manually through the Certificates MMC snap-in. To manually trigger autoenrollment
Smart Card Enrollment
Certificate RenewalThis section discusses renewal intervals, forced re-enrollment, and smart card renewal. Renewal IntervalsWindows XP Professional or Windows Server 2003 clients, when combined with a Windows Server 2003, Enterprise Edition certificate authority, will perform automatic renewal of certificates as specified on a per-template basis. Renewal intervals are dictated by the certificate template, which is set to six weeks (before expiration) by default. When certificate renewal is performed, the old (previous) certificate enrollment is always archived automatically on the client machine, and the user directory object is updated. Important certificate renewal criteria include the following:
Forcing Re-EnrollmentAn administrator may force all users to re-enroll for a given template by updating the major version number of the template. When Active Directory is queried during logon for required certificate templates, the version number is examined. If the version number has incremented, the certificate template is considered to be updated and the user must re-enroll for that template. To manually force the template version to be updated (thereby forcing re-enrollment)
Smart Card RenewalThe renewal behavior of a smart card may vary depending on the type of smart card CSP being used and the state of the card at the time of renewal. In general, if the smart card being used has available space for an additional enrollment and the CSP supports multiple keys on a single card, autoenrollment will request the card to generate a new key for enrollment. If this succeeds, the certificate is written to the card and the container is marked as default. The default container is the only container that the Winlogon process will enumerate for a smart card logon certificate and key. If the smart card or CSP cannot generate a new key on the card, the existing key will be reused and a new certificate will be forced onto the card. This action will generate an event in the machines application event log. Note: Autoenrollment will always use a newly generated key for all enrollment and renewal requests. The only exception to this rule is in the case of some smart card CSPs that cannot support a new key due to storage limitations on the smart card. If a key is reused, an event will be entered in the Client application log. Revoked Certificates and RenewalRevoked certificates may not be renewed and may not be used to sign a renewal request. This scenario is explicitly blocked by autoenrollment. In this scenario, a user must perform a new manual enrollment request instead of renewal. Autoenrollment FunctionsThis section discusses various functions performed by the autoenrollment process on Active Directory domain-joined machines. Download of Active Directory Certificates and Trust ObjectsAutoenrollment automatically downloads and manages trusted root certificates, cross-certificates, and NTAuth certificates from Active Directory into the local machine registry for domain-joined machines. All users who log on to the machine inherit the trust and downloaded certificates that are downloaded and managed by autoenrollment. Deleting Expired and Revoked CertificatesAutoenrollment deletes expired and revoked certificates in the userCertificate attribute on the user object in Active Directory. This feature can be enabled through user or machine Group Policy to help ensure that only valid and active certificates are used for encryption operations. The exit module on the Windows Server 2003 CA also helps to manage the user account in Active Directory, but only deletes expired certificatesit does not remove revoked certificates due to performance reasons. In general, there is no value in publishing a signing certificate to the user object in Active Directory, except for purposes of record-keeping. Managing User Certificates in the CryptoAPI MY StoreCertificates in the users local MY certificate store may also be managed through the autoenrollment process. On a per-template basis, autoenrollment can be enabled to delete expired and revoked signature certificates. Encryption certificates and keys are never automatically deleted. However, autoenrollment only manages certificates that correspond to certificate templates defined in Active Directory that contain the certificate template extension. This feature is enabled by setting this policy on the Request Handling tab in the Properties of a given certificate template (Figure 15). If the Delete revoked or expired certificates check box is not enabled, autoenrollment will archive all expired and revoked certificates in the users MY store. As mentioned previously, this setting does not affect the userCertificate attribute in Active Directory for the user object. Note: This feature is only enabled with encryption keys, not signature key types, which are not normally published to Active Directory. Updating Group PolicyThis section discusses how to update User and Machine Group Policy. User and Machine Group PolicyUser autoenrollment is triggered by the Winlogon process (interactive logon with CTRL+ALT+DELETE keys) or at Group Policy refresh intervals. Normally, User Group Policy is refreshed at logon and Machine Group Policy is refreshed at machine reboot. Group Policy may be manually refreshed using the gpupdate.exe tool that is included in Windows XP. Manually Forcing a Group Policy UpdateTo manually force a Group Policy update (for a user or a machine)
Advanced FeaturesThis section discusses templates that require certificate manager approval, self-registration authority, and how to supersede a certificate template. Requiring Certificate Manager ApprovalA specific certificate template can require that a certificate manager (CA officer) approve the request prior to the CA actually signing and issuing the certificate. This advanced security feature works in conjunction with autoenrollment and is enabled on the Issuance Requirements tab of a given certificate template ( Figure 17). This setting overrides any pending setting on the CA itself. Once certificate manager approval is required, all automatic enrollment requests are not issued until a certificate manager manually approves the request. The autoenrollment process will periodically check the CA for approved requests and install the certificates automatically. Smart cards, user certificates, and machine certificates support pending requests. In the case of smart cards, the user will be prompted to insert the smart card when the certificate is issued so that the certificate may be written to the card. Note: The autoenrollment process supports a maximum of one signature requirement on the template. This limitation exists to support the self-registration authority feature described in Self-Registration Authority. If multiple signatures are desired for a given certificate enrollment, manual enrollment should be used. Self-Registration AuthorityThe self registration authority (Self RA) is an advanced feature of certificate enrollment that may be combined with the autoenrollment process. Self RA refers to certificate enrollment based on the existence of a previously enrolled certificate in which the users private key is used to sign the new certificate request. The Certificate Management Messages over CMS (CMC) protocol provides for this feature where one or more signatures may be used or required for a given certificate enrollment. Self RA requirements are defined in a certificate template which may be managed using the Certificate Templates MMC snap-in.
The previous setting is a useful configuration for customers who want to manually enroll users for smart cards with an enrollment station. Then they can supersede the original template with a new template with the previous settings to allow automatic renewal through the autoenrollment process, which will require the user to sign the renewal request with the old certificate. Additional Self RA Example: You could add the Application Policy for a smart card logon certificate that would be used to enroll for an EFS certificate. This would mandate that users sign their request for an autoenrolled EFS certificate with a valid smart card certificate. The user would then be prompted to insert a smart card and enter a PIN when autoenrollment was activated for the EFS certificate. Superseding Certificate TemplatesCertificate autoenrollment also supports the concept of superseding a template or a previously enrolled certificate. Superseding a template allows an administrator to re-enroll, change, or combine previously issued certificate enrollments into a new certificate enrollment. Autoenrollment always examines existing certificates in the users store and determines if the template used in the issued certificate has been superseded. If a certificate template has been superseded, the user will automatically be enrolled with the new template, and the old certificates will be deleted or archived depending on the template setting. BenefitsSuperseding certificate templates is especially useful in the following scenarios.
To create or modify a template to supersede an existing certificate
Note: Superseding a certificate always generates a new private key for the user or machine. Supported HardwareThis section lists the smart card readers and smart cards that are supported in the default installations of Windows 2000 and Windows Server 2003. Table 1 Smart Card Readers
Table 2 Smart Cards
Note: The GEMPLUS GemPC430 is not supported on Windows Server 2003. TroubleshootingThis section outlines key scenarios that need to be considered when troubleshooting autoenrollment. It also covers how to prepare for autoenrollment failures and lists event logging messages. Key IssuesThe following key issues need to be considered when troubleshooting autoenrollment. Infrastructure RequirementsWindows XP clients and Windows Server 2003 CAs will always request LDAP-signed communications with domain controllers as a security function. Before deploying autoenrollment or a Windows Server 2003 CA, all domain controllers running Windows 2000 should be upgraded to Service Pack 3 or greater. Root and Cross-Certificate Download from Active DirectoryAutoenrollment automatically downloads root certificates and cross-certificates from Active Directory whenever a change is detected in the directory or when a different domain controller is contacted. If a third-party root certificate or cross-certificate is deleted from the local machine store, autoenrollment will not download the certificates again until a change occurs in Active Directory or a new domain controller is contacted. To manually force a new download, delete the following registry key and all subordinate keys on all affected machines. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache EFS and AutoenrollmentEFS always attempts to enroll for the Basic EFS template by default. The EFS component driver generates an autoenrollment request that autoenrollment tries to fulfill. For customers who want to ensure that a specific template is used for EFS (such as to include key archival), the new template should supersede the Basic EFS template. The Basic EFS template should also be removed from any Enterprise CA. This will ensure that autoenrollment will not attempt enrollment for the Basic EFS template any more. For customers who wish to replace the Basic EFS template with a certificate and key that is archived through the Windows Server 2003, Enterprise Edition CA, the proper procedure is to supersede the Basic EFS template with a new version 2 certificate template. Smartcard RenewalThe Smartcard Logon and Smartcard User version 1 templates may not be renewed through autoenrollment. To renew a version 1 Smartcard Logon or Smartcard User template, the proper procedure is to supersede these templates with a new version 2 template. Autoenrollment always attempts to generate a new key when performing certificate renewal. For smart cards with limited space that do not support additional key generation, autoenrollment will attempt to reuse the key; however, additional space will still be required to install the new certificate. If no space is available on the card for these operations, the renewal through autoenrollment may fail. Autoenrollment and Strong Private Key ProtectionThe version 2 certificate template properties on the Request Handling tab support the ability to require a user password when the private key is used by applications. This is set by selecting the Prompt the user during enrollment option and requires user input when the private key is used. It is important to never use this option for smart card certificates as smart card CSPs also do not support this capability. If this option is chosen, autoenrollment may fail. Removal of Certificates on Domain Join/Change DomainWhen a machine is removed from a domain or added to a new domain, all the downloaded certificates from Active Directory will be removed and refreshed if applicable. Certificates that were issued or autoenrolled from a previous forest will not be removed unless the machine is a domain controller. All client machines will automatically update certificates when the domain or machine information changes. When machines or users have certificates that are required for secure network communications, wireless communications, and so on, it may be necessary to delete the old certificates after joining a new domain or forest. Autoenrollment FailuresAutoenrollment will warn the user with a warning dialog box when an autoenrollment failure occurs. This feature is only enabled when user interaction is required on the certificate template. To enable the warning feature for an autoenrollment failure
Re-Initialized Smart CardsIf enrollment for a certificate is based on the existence of a smart card certificate and if the smart card has been re-initialized, the smart card Insertion dialog box will ask the user to insert a smart card matching the key container identified by the old certificate. Since the key container has been deleted, the Insertion dialog box will continue to display despite the fact that the user has removed and inserted the card. The only choice is to click Cancel and fail the enrollment. Enhanced Event LoggingBy default, autoenrollment logs errors/failures and successful enrollments in the Application event log on the client machine. To enable enhanced logging of autoenrollment processes to include warning and informational messages, the following registry values must be created. User AutoenrollmentHKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named AEEventLogLevel"; set value to 0. Machine AutoenrollmentHKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0. Note: All failures and errors are automatically logged. It is not necessary to enable the registry key to turn on failure logging. Event Log MessagesThe following event log messages only appear when additional event logging is enabled. Success Event Log MessagesThe following are samples of successful event log messages.
For more information, see Help and Support Services at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0
For more information, see Help and Support Services at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0
For more information, see Help and Support Services at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This event signifies the fact that the private key was reused during a certificate renewal. Failed Event Log MessagesThe following are samples of failed event log messages.
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This error most often occurs when a user is logged on to a machine with cached credentials and is offline. Therefore, autoenrollment cannot continue and will be attempted later.
For more information, see Help and Support Services at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This error most often occurs when a domain controller is not available or is not accessible by the client. Common causes include network errors, network connectivity, and so on.
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This error typically occurs when the certificate authority is not available on the network or the service is stopped.
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This is a rare event when the certificate authority is under heavy load and cannot respond to the request in a timely manner. Autoenrollment will automatically try again at a later time.
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This is the same error as the previous one, but it involves a renewal.
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This is an autoenrollment error that occurs when a user has a certificate and private key installed that corresponds to a given template that is now expiring. Autoenrollment attempts to automatically renew the certificate; however, the user does not have applicable permissions for this template and therefore autoenrollment fails. Autoenrollment is based on certificates in the store as well as certificate template settings.
For more information, see Help and Support Center at http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto&sd=gn&ln=en-us&fr=0 Note: This error occurs when the user account in Active Directory does not have a valid e-mail address on the user property page in Active Directory Users and Computers MMC snap-in. Enrollment for certificate templates in Active Directory requires an e-mail address to exist prior to enrollment. Event Log ToolsA new tool (script) is included on the Windows XP Professional and Windows Server 2003 client to query a local system for various events. This script can be used to identify autoenrollment errors on the client and perform appropriate actions. The command line help for this tool is noted and provided as follows: Z:\>eventquery /?
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
----------------------------------------------------------------------
EVENTQUERY.vbs [/S system [/U username [/P password]]] [/FI filter]
[/FO format] [/R range] [/NH] [/V] [/L logname | *]
Description:
The EVENTQUERY.vbs script enables an administrator to list
the events and event properties from one or more event logs.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which the
command should execute.
/P password Specifies the password for the given
user context.
/V Specifies that the detailed information
should be displayed in the output.
/FI filter Specifies the types of events to
filter in or out of the query.
/FO format Specifies the format in which the output
is to be displayed.
Valid formats are "TABLE", "LIST", "CSV".
/R range Specifies the range of events to list.
Valid Values are:
'N' - Lists 'N' most recent events.
'-N' - Lists 'N' oldest events.
'N1-N2' - Lists the events N1 to N2.
/NH Specifies that the "Column Header" should
not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/L logname Specifies the log(s) to query.
/? Displays this help/usage.
Valid Filters Operators allowed Valid Values
------------- ------------------ ------------
DATETIME eq,ne,ge,le,gt,lt mm/dd/yy(yyyy),hh:mm:ssAM(/PM)
TYPE eq,ne ERROR, INFORMATION, WARNING,
SUCCESSAUDIT, FAILUREAUDIT
ID eq,ne,ge,le,gt,lt non-negative integer
USER eq,ne string
COMPUTER eq,ne string
SOURCE eq,ne string
CATEGORY eq,ne string
Note: Filter "DATETIME" can be specified as "FromDate-ToDate" Only "eq" operator can be used for this format. Examples: EVENTQUERY.vbs EVENTQUERY.vbs /L system EVENTQUERY.vbs /S system /U user /P password /V /L * EVENTQUERY.vbs /R 10 /L Application /NH EVENTQUERY.vbs /R -10 /FO LIST /L Security EVENTQUERY.vbs /R 5-10 /L "DNS Server" EVENTQUERY.vbs /FI "Type eq Error" /L Application EVENTQUERY.vbs /L Application /FI "Datetime eq 06/25/00,03:15:00AM-06/25/00,03:15:00PM" EVENTQUERY.vbs /FI "Datetime gt 08/03/00,06:20:00PM" /FI "Id gt 700" /FI "Type eq warning" /L System EVENTQUERY.vbs /FI "Type eq error OR Id gt 1000 " SummaryWindows Server 2003, Enterprise Edition through the Certificate Services component provides user certificate autoenrollment. This allows administrators to easily deploy certificates throughout the enterprise while requiring no user interaction. User certificate autoenrollment in the Windows XP Professional and Windows Server 2003 operating systems builds on Microsofts long-established reputation for shipping robust PKI components that have a low TCO. Since PKI is an integral part of the Windows XP Professional operating system, Windows Server 2003 PKI provides some distinct advantages over third-party add-in components. These advantages include:
Keep in mind that almost all third-party PKIs must be purchased separately, and require per-certificate license fees and increased management tasks. Overall, certificate autoenrollment features in Windows Server 2003 should provide organizations and enterprises with the ability to effortlessly deploy digital certificates and PKI-enabled applications with little or no additional cost to a normal IT operations budget. Related Links |
