Auto-Enrolled (GPO) Email Encryption Certificates - multiple and why

Daisy Zhou 20,791 Reputation points Microsoft Vendor
2020-07-15T06:23:03.533+00:00

Based on this procedure https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll we have setup an certificate autoenrollment group policy in order to autoenroll Email Signing and Encryption certificates to AD users. this policy only issues such a certificate once at first logon (when GPO is applied first time) and then it does renew certificates about to expire.
This works quite fine, but I remakred that sometimes, some users have 2 or even 3 valid certificates, all based on different private keys but same template. These users for sure haven't enrolled a new certificate on their own.
And second, all certificates are published to user object in AD. But also here I am a bit confused, because from my knowledge these published certificates are the ones an Outlook/Exchange (op-premises) AD sender uses in order to encrypt mails to other AD recipients. Which certificate is choosen if there is more then one valid certificate, I thouhgt it would at least always go for the one with the longes expiry period from today, but not even this is the case. I have a particular user who has 3 certificates bound to his AD user object, expiry dates are:
1.01.2020
31.12.2021
10.02.2021
The only certificate the user itself has in his user certificate store is th one with expry date 10.02.2021, which is even the one with the shortest expiry period. And guess what, a senders Outlook chooses this one, which is the right one, no problem. But why this one and not another one from the 3, and where do the other 2 certificates may come from? Why have they ever been issued by our PKI?
Would be glad if someone can explain what the cause for multiple certificate issuance might be and how these are handled in which order by AD?
kind regards,
Dieter

Source link:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/5f3c0a95-13f6-4872-8ae0-6c285d04841c/autoenrolled-gpo-email-encryption-certificates-multiple-and-why?forum=winserverGP

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,998 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,321 Reputation points Microsoft Vendor
    2020-07-15T06:32:08.483+00:00

    Hello,

    According to "The only certificate the user itself has in his user certificate store is the one with expiry date 10.02.2021," where do we see the other two certificates?

    I think the user uses the certificate in his/her certificate store.

    We can check how the other two certificates are requested.

    On one domain-joined client, logon with one domain user account and open Event Viewer->Applications and Services Logs->Microsoft->Windows->CertificateServicesClient-Lifecycle-User->Operational

    We can check event ID 1006.
    Process Name
    Account Name
    Context
    Action

    Here is an autornrolled computer certificate after I run gpupdate /force command.

    Process Name: Taskhostw.exe
    Account Name: B\daisy11
    Context: User
    Action:Enroll
    12387-8.png

    After the auto enrolle the above user certificate with User1 certificate template via GPO, I can also enroll another certificate with the same User1 certificate template manually. And here is a user certificate I requested manually with User1 template.

    Process Name: mmc.exe
    Account Name: B\daisy11
    Context: User
    Action:Enroll
    12388-9.png
    Best Regards,
    Fan

    0 comments No comments

0 additional answers

Sort by: Most helpful