Credential roaming, a new feature in Windows Server 2003 Service Pack 1 (SP1), enables Windows domain users to access their public key infrastructure (PKI) private keys and certificates from any workstation they log on to in the Windows domain. Their credentials can roam with them thanks to the Digital Identity Management Service (DIMS), which stores a secured copy of a user's PKI credentials in the user's Active Directory (AD) object and keeps them in sync with the local PKI credentials stored in the user's certificate and private key store on the workstation.
This article explains how DIMS credential roaming works, how it compares with other Microsoft PKI credential roaming solutions, how to configure it, and how to use it to best advantage in Windows domain environments.
Credential Roaming, Roaming Profiles, and Smart Cards
An important characteristic of DIMS and credential roaming is that they enable Windows domain users to have access to their PKI credentials from any domain machine without the overhead of configuring, using, and maintaining roaming user profiles or smart cards.
Roaming user profiles include not only a user's private keys and certificates but also his or her desktop data, application settings, My Documents data, Microsoft Internet Explorer (IE) cache, and so on. That's why they negatively impact user logon time, bandwidth usage, and server-side storage.
Smart cards offer a more secure private key and certificate roaming solution than credential roaming but bring significant deployment and maintenance costs and require disciplined and security-aware users. The same is true for Trusted Platform Modules (TPMs), which are special security chips that are part of a PC's motherboard and that offer smart card-like functionality. Table 1 compares the features of credential roaming, roaming profiles, and smart cards for dealing with PKI credentials in a Windows environment.
On the downside, setting up credential roaming is slightly more challenging than setting up roaming profiles or smart cards in a Windows environment, as you'll see in a moment. An even greater problem is that Windows client OSs currently don't support DIMS, although Microsoft says Windows Vista will.
An example that clearly shows the benefits of credential roaming is the use of the Encrypting File System (EFS) in a domain environment by users who don't have roaming profiles configured. With credential roaming, users have one EFS certificate and private key available on all domain workstations they log on to. Without credential roaming or roaming profiles, EFS would generate a new user certificate and private key the first time a user used EFS on a different machine.
Credential Roaming Operation
Credential roaming is currently supported only on Windows 2003 SP1. As I mentioned above, Microsoft is planning to add DIMS support in the next Microsoft client platform version called Windows Vista. On the server side, credential roaming works with an AD that includes the credential roaming schema extensions and that runs on a Windows 2000 SP3 or Windows 2003 or later platform.
Credential roaming currently supports the roaming only of X.509 certificates and Digital Signature Algorithm (DSA) or RSA key pairs that use the built-in Windows Cryptographic Service Providers (CSPs).
Because credential roaming stores a complete copy of a user's PKI credentials in AD, users will automatically-receive the complete PKI credential set the first time they log on to the domain after a hardware or software failure has occurred on their workstation. Even though credential roaming provides a recovery mechanism to protect users from losing all their private keys and certificates, it doesn't protect against accidental user deletion of individual private keys. The Windows 2003 PKI includes a special service that's integrated with the Certification Authority (CA) to provide backup and recovery services for individual private keys. When a user deletes a private key in his or her local store from the Microsoft Management Console (MMC) Certificates snap-in, credential roaming will also reflect this deletion in the user's AD object.
Here's the sequence of events that takes place when credential roaming kicks in during a user logon from a domain-joined workstation:
1. As part of the logon process, Group Policy Object (GPO) settings— including credential roaming settings that have been enabled in the GPO user configuration—are applied.
2. The client-side dimsntfy.dll compares the certificates and private keys stored in the user's local store to those stored in the user's AD object. If there are content differences, dimsroam.dll updates the local or AD store accordingly:
- If the user's local store contains certificates and private keys and the user's AD object doesn't, the certificates and private keys are copied to AD. This occurs when credential roaming is used for the first time.
- If the user's AD object contains certificates and private keys and the local store doesn't, the certificates and private keys are copied to the local store. This occurs when credential roaming is enabled and the user logs on to another workstation.
- If both the local store and the AD user object contain certificates and private keys and the ones in AD are more up-to-date, the AD-based certificates and private keys are copied to the local store. If the ones in the local store are more up-to-date, the local certificates and private keys are copied to the AD store. If the content of both stores is identical, no further DIMS action is taken.
- The updating of PKI credentials in a user's AD object also applies to deleted certificates and private keys. If a user deleted a private key in his or her local store, credential roaming will also delete the key in the user's AD object.
3. The certificate autoenrollment process (pautoenroll.dll) automatically enrolls the user for the certificates configured in the GPO and for certificate template settings. When the user is successfully enrolled for the certificate, DIMS kicks in again to synchronize the new certificate in the local store with the AD-based DIMS store.