Credential Roaming

Applies To: Windows Server 2008

Credential roaming allows organizations to store certificates and private keys in Active Directory apart from application state or configuration information.

How credential roaming works

Credential roaming uses existing logon and auto-enrollment mechanisms and must be configured on a server running this version of Windows. These mechanisms make it possible to safely and securely download certificates and keys to a local computer whenever a user logs on and, if desired, remove them when the user logs off. In addition, the integrity of these credentials is maintained under any conditions, such as when certificates are updated and when users log on to more than one computer at a time.

The following steps describe how digital credential roaming works.

1. A user logs on to a client computer that is connected to an Active Directory domain.

2. As part of the logon process, credential roaming Group Policy is applied to the user’s computer.

3. If this is the first time that credential roaming is being used, the certificates in the user's store on the client computer are copied to Active Directory.

4. If the user already has certificates in Active Directory, the certificates in the user’s certificate store on the client computer are compared to the certificates stored for the user in Active Directory.

5. If the certificates in the user's certificate store are current, then no further action is taken. However, if more recent certificates for the user are stored in Active Directory, then these credentials are copied to the client computer. If more recent certificates for the user are stored on the client computer, then these credentials are copied to Active Directory.

6. If additional certificates are needed on the client, outstanding certificate auto-enrollment requests are processed.

Note

Newly issued certificates are stored in the certificate store on the client and replicated to Active Directory.

7. Later, when the user logs on to another client computer connected to the domain, the same Group Policy is applied, and credentials are once again replicated from Active Directory. Credential roaming synchronizes and resolves any conflicts between certificates and private keys from any number of client computers that the user logs on to, as well as in Active Directory.

Important

In multi-domain environments and domains with multiple domain controllers, credentials may not be immediately available when a user logs on to the network using one domain controller shortly after being issued a certificate on a computer that validates the user's identity against a different domain controller. The credentials will only become available after replication has been completed between the two domains or domain controllers.

8. On subsequent logons, the certificate in the local certificate and key stores are compared to the certificates and keys in Active Directory:

   • If the certificates and keys are current, no further action is taken.

   • If certificates and keys are not synchronized, they are synched.

   • If additional certificates or keys are needed, or if certificates and keys need to be renewed, auto-enrollment is used to contact the certification authority (CA), issuance and renewal take place, and the updated certificates and keys are replicated to Active Directory.

9. When the user logs on to the other computer, the updated certificates and keys are replicated to the certificate and key stores on this computer as well.

10. When the user’s certificate expires, the old certificate is automatically archived in the client's profile and in Active Directory.

Credential roaming is triggered any time a private key or certificate in the user’s local certificate store changes, whenever the user locks or unlocks the computer, and whenever Group Policy is refreshed.

All certificate-related communication between components on the local computer and between the local computer and Active Directory is signed and encrypted.