Archived from groups: microsoft.public.win2000.security (
More info?)
Brian,
The certificates show up in the Certificate services and are also viewable
from in the users Personal Store.
I called Micrsoft and had a lengthy troubleshooting session with them. This
was their responce
"There was a bug submitted on this issue and the development team is not
going to fix this for Windows 2000. This is however fixed in Windows
XP. I will be sending another email with the response from the
development team. The issue is that there is a bug in the autoenrollment
code
causing it to pull a second certificate unnecessarily. Although 2000
clients cannot use autoenrollment to autoenroll for certificates the code
is still there and some certs are flagged as available for
autoenrollment. ACRS (Automated Certificate Request Settinggs) is used by
2000.
EFS has created an ACRS but Autoenrollment doesn't realize that a
certificate has been enrolled for already. This is what is causing the
second certificate to appear.
Thank you and look forward to hearing from you.
Then this responce from the development team
"The request that the certificate auto enrollment behavior for Windows
2000 be changed has been reviewed by senior Microsoft support
professionals, escalation engineers, developers, and managers. We
understand the
impact this has to your business.
Microsoft assures that there is no loss in functionality on account of
the second certificate behavior. This behavior is present in Windows
2000 from day one. This behavior does not occur in XP or Server 2003
where the AE (auto enrollment) code has been rewritten. There are valid
usage scenarios on Win2000 today where customers benefit from the existing
behavior. To fix this issue in Win2K properly, without breaking any
existing customer scenarios or applications, we have to back port the new
code from WinXP which requires significant development and testing
resources. This would result in significant code change and creates a risk
of regressions to very a critical code path.
Given the details above, we regret that we are not be able to make this
change. Please let us know if you have further questions.
--
RS
MCSE, MCP +I MCP
"Brian Komar" wrote:
> In article <13FC1DA3-FB08-4DEA-8384-D2DAF0D1DAF9@microsoft.com>,
> Rschraeger@discussions.microsoft.com says...
> > Paul,
> >
> > I appreaciate your concern for my training but I beleive that I have all the
> > training I need. I was only looking for clarification on a few items and for
> > some reason the Enterprise root CA slipped my mind a little.
> >
> > I think it is because I'm battleing this problem with multiple certificates
> > being issued. At this time I can reproduce the problem on a enterprise CA
> > (yes its online) issuing certs to clients. Yes I also know that Enterprise
> > CA's should not be issuing certs to clients. Again this is only testing.
> > Anyway the clients recieve multiple EFS certs from the CA. Looking at the
> > Certificate requests the clients is requesting a EFS cert...which the ca
> > gives to the clients then the client requests another.
> >
> >
> >
> Where are you seeing the second certificate, in the Certification
> Authority console or in the User's Certificate console.
>
> I am wondering whether the certificates are issued to the same user
> profile, or to multiple computers.
>
> Brian
> --
> ==
> Brian Komar
> MVP - Windows - Security
>
http://www.identit.ca/blogs/brian
>