User Autoenrollment
Applies To: Windows Server 2003 with SP1
This section illustrates manually pulsing autoenrollment and smart card enrollment.
Key Points
User autoenrollment for a smart card requires mandatory manual steps and user interaction, unlike other certificate types. Once autoenrollment has been enabled, the user will receive an informational balloon on the taskbar at the next Group Policy pulse interval (default of eight hours) or at the next logon.
Manually Pulsing Autoenrollment
Autoenrollment may be pulsed manually through the Certificates MMC snap-in.
To manually trigger autoenrollment
Log on to the domain with the appropriate user account.
Click the Start button, and then click Run.
Type mmc.exe, and press ENTER.
An empty MMC shell starts.
Select the File menu, and then select Add/Remove Snap-In.
A dialog box appears with a list of the snap-ins that have been added to the MMC shell.
Click Add.
A list of the registered snap-ins on the current machine appears.
Double-click the Certificates snap-in, select My User Account, and then click Finish. If enrolling the machine for a certificate, such as a domain controller or a Web server, select Computer account.
Click Next.
Select Local Computer, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close. In the Add/Remove Snap-in dialog box, click OK.
The MMC now contains the personal certificate store for the user.
Right-click the top of the tree on CertificateCurrent User, select All Tasks on the context menu, and then select Automatically Enroll Certificates (Figure 9).
Figure 9: Automatically Enrolling Certificates
Note
It will take approximately one minute for the Certificate Enrollment balloon to be displayed, unless the registry key mentioned previously has been set. (See Balloon User Interface.)
Smart Card Enrollment
Click the balloon or the corresponding certificate icon in the notification area once the Certificate Enrollment balloon is displayed. After a short period of time, the balloon will automatically disappear, and only the icon in the notification area will remain. After clicking the balloon, the Autoenrollment UI will start.
Note
The certificate enrollment balloon and wizard are not only for smart card enrollment but also for self-registration authority.
Click the Start button (Figure 10).
The wizard will begin. (The Remind Me Later button will cause the Certificate Enrollment balloon to re-appear at the next Group Policy pulse interval or the next interactive logon.)
Figure 10: Begin Enrolling Certificates
If a smart card with the required CSP on the certificate is not inserted in the smart card reader, the user will be prompted to insert a smart card. Insert the smart card and click OK.
Note
If the certificate template on the users machine contains more than one CSP, the user may have to cycle through the wizard to reach the desired smart card CSP.
If the displayed smart card CSP is not the desired CSP, click Cancel.
The next CSP listed in the certificate template will be displayed.
After inserting an appropriate smart card, click OK.
The wizard will continue.
Note
If the smart card contains a private key and certificate in Slot0 (default container), the user will be warned about replacing the credentials on the smart card.
Important
Due to limitations with the smart card CSPs, smart card logon with both Windows 2000 and Windows XP requires that Slot0, or the default container on the card, be used to hold the certificate and private key used for smart card logon. If the card contains multiple keys and certificates, the last generated key and certificate will be marked as the default container on the card.
If it is desired to replace the credentials on the smart card, click Yes (Figure 11).
The wizard will continue (Figure 12).
(The following is only one example of the dialog box a user may see. The smart card UI varies depending on the CSP being used.)
Figure 11: Replacing Credentials Dialog Box
Figure 12: Enrolling Certificates
If a PIN is necessary for the smart card, a dialog box will be displayed. Enter the appropriate PIN and click Enter.
Enrollment completes.
Note
If you enter the PIN incorrectly, the number of times you can retry will be limited.
The success or failure of the autoenrollment process will be logged in the Application event log on the local computer. Also, a summary dialog box will appear for failed certificate requests that involved user interaction. If a failure occurs during enrollment, the user will be notified of the failure (Figure 13).
Figure 13: Notifying the User of Errors While Enrolling Certificates
Note
Users are not prompted when enrollment succeeds.