How to setup auto enrollment?

General Information ID:    INFO154    Updated:    06/24/2015

Description

With the Symantec Unified Authentication Service, you can set up the system so that users are automatically enrolled for certificates when they log on, or you can have users enroll for certificates manually. Windows 2000 does not support auto enrollment for user certificates. Auto enrollment is only available for version 2 templates.

Unified Authentication Service MMC Snap-In

To run the Unified Authentication Service MMC snap-in:

  1. On the Start menu, click Run, type mmc, and then click OK. Microsoft Management Console opens with an empty console.
  2. On the Console Menu, click Add/Remove Snap-in.
  3. In the Add/Remove Snap-in dialog box, select Symantec Unified AuthenticationService and click OK.
  4. In the Select Provisioning Proxy dialog box, click Browse to find the Provisioning proxy. Use Check Names to make sure you have entered the name correctly. (Once you make your selection, the Select Provisioning Proxy dialog box will not come up again.)
  5. Click OK.
  6. Repeat these steps to add additional Unified Authentication Service snap-ins to an MMC on each provisioning proxy.

Create a Version 2 Template

To create a version 2 template, Symantec recommends duplicating an existing template similar to the one you want to create.

  1. Open the Unified Authentication Service MMC snap-in.
  2. Click All Available Templates.
  3. Right-click a version 2 template and choose Duplicate Template.
  4. Right-click the template and choose Properties.
  5. Use the General tab to display or set validity, renewal and publishing information. If you choose to Publish in Active Directory, select Do not automatically re-enroll if duplicate certificate exists in Active Directory to prevent multiple duplicate certificates from being issued.
  6. Use the Request Handling tab to define certificate purpose, key size, and export option, user prompts, and CSPs.
  7. Use the Subject Name tab to automate subject name information during the certificate request.
  8. Use the Extensions tab to define application policies, issuance policies, certificate subject types, and key usage attributes. Click Edit, add or remove application policies, and click OK.
  9. Use the Security tab to enable auto enrollment for groups or individuals. Add or remove a group and check Read, Enroll, and Autoenroll with group or user names selected. If SYSTEM appears in the Group or user names box, remove it.
  10. Click OK.

User and Group Configuration in an Existing Template

  1. Open the Unified Authentication Service MMC snap-in.
  2. Click All Available Templates.
  3. In the right pane, select the certificate template to configure. (Only version 2 templates can use autoenroll.)
  4. Click the General. If you choose to Publish in Active Directory, select Do not automatically re-enroll if duplicate certificate exists in Active Directory to prevent multiple duplicate certificates from being issued.
  5. Click the Security tab to enable auto enrollment for groups or individuals. Add or remove a group and check Read, Enroll, and Autoenroll with group or user names selected. If SYSTEM appears in the Group or user names box, remove it.
  6. Click OK.

Renewal Policies

Certificate renewals happen automatically if the auto-enrollment group policy is enabled and users auto-enroll for certificates. Renewals intervals are set by the certificate template in the General tab.

Revoke a Certificate

A certificate must be revoked upon a subscriber-s request and under certain conditions as specified in the Symantec CPS.

  1. Open the Active Directory Users and Computer snap-in.
  2. Expand the Users node in the console tree pane.
  3. Double-click on the name of the user who owns the certificate you want to revoke.
  4. In the Properties window, click the Symantec Credentials tab.
  5. The Select a Provisioning Proxy dialog box appears, click Browse to find the Provisioning proxy and then click Finish.

If you have Certificate Management permission for the CA that issued the certificate, you can select a certificate and click Revoke Certificate.

Find Answers