Using credential roaming

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

A growing number of organizations and users rely on certificates to secure critical transactions such as signing, encrypting, and decrypting e-mail and authenticating identity on wireless networks.

But many organizations require users to log onto and use more than one computer. Thus, a typical user of multiple computers who has been issued certificates for signing e-mail, encrypting and decrypting documents, and authentication might have separate sets of certificates and private keys on each computer.

Credential roaming enables using a single set of certificates and private keys on multiple computers in a manner that is extremely secure, easy to implement and manage, and transparent to the user.

Credential roaming only supports x.509 v3 certificates and RSA or DSA key pairs that are stored in the user’s credential store. Only credentials in the user’s MY and REQUEST stores are roamed. Credentials that use non-Microsoft cryptographic service providers (CSPs) or are located in other certificate stores are not supported.


  • Version 1 x.509 certificates are not stored in the user's credential store and cannot be used with credential roaming. The Microsoft Exchange Cryptographic Provider v1.0 does not use the default key container and cannot be used for credential roaming. In addition, keys stored on smart cards and within hardware security modules (HSMs) cannot be used with credential roaming.

Credential roaming is supported for clients running Windows Server 2003 with Service Pack 1 (SP1). Credential roaming is supported on domain controllers running Windows 2000 with SP3 or later or Windows Server 2003. Mixed environments containing domain controllers running Windows 2000 with SP3 or later and Windows Server 2003 are also supported. The forest functional level can be either Windows 2000 or Windows Server 2003.

  • An update was recently made available that enables credential roaming on clients running Windows XP Professional (SP2) and an update is available for Windows Server 2003 SP1.


  • For the best performance and security, it is recommended that the servers be upgraded to Windows Server 2003 SP1. For other best practices, see Credential roaming best practices.

See Also


Understanding credential roaming
Credential roaming schema changes
Credential roaming administrative template
Credential roaming best practices