3.1.4.1 Application Requests for a User-Certificate Binding

An application (including implementations of the EFSRPC protocol) can request a binding between a user and an EFS certificate. The application MUST provide a security context for the user. Using this security context, the EFS Group Policy client performs the following processes to establish a binding between the user and a certificate.

1. If the EfsDisabled field equals true, return ERROR_NOT_SUPPORTED (specified in [MS-ERREF]) and do no further processing.

2. Using the principal SID from the security context as a key, retrieve a reference to the EFS User Certificates for the user. Also, retrieve the EFS Current Key from the EFS User Certificates, if one exists.

3. If an EFS Current Key does not exist, attempt to enroll for a new certificate using the algorithm outlined in section 3.1.4.1.1.

4. If the enrollment request is successful, add the new certificate and private key to the EFS User Certificates collection, and mark the new certificate as the EFS Current Key within the collection.

5. If an EFS Current Key now exists, return it as the bound certificate.

6. Otherwise, return an error.