Allowing for autoenrollment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Allowing for autoenrollment

You can use autoenrollment so that subjects automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without subject interaction. For certificate templates, the intended subjects must have Read, Enroll and Autoenroll permissions before the subjects can enroll. To ensure that unintended subjects cannot request a certificate based on this template, you must identify those unintended subjects and explicitly configure the Deny permission for them. This acts as a safeguard, further ensuring that they cannot even present an unacceptable request to the certification authority. Note that Read permission does not allow enrollment or autoenrollment, it only allows the subject to view the certificate template.

Renewal of existing certificates requires only the Enroll permission for the requesting subject. Certificates obtained in any way, including autoenrollment and manual requests, can be renewed automatically. These types of renewals do not require Autoenroll permission, even if they are renewed automatically.

For more information, see Planning for autoenrollment deployment.