Hello,
I understandhow thecredentialroamingworks.Spite of everythingI
stillseveral question.
I have made some test to implement credential roaming. My certificates are made for use Smime.
When a uservoluntarilyremoveshiscertificates,credentialsofusers aretombstoned(60 days)in theactive directory.After 60 days, they are totally deleted from AD. But there is a way torecover them from ADspite of everything before the 60 days?Apart
from theKRA(keyrecoveryagent) onthePKI,there is no other solutions?
Secondly, for certificates expired:Thecertificates and keysno longer appearin the local storeof the userbut are stilldescendedinto
the profileat this location:%USERPROFILE%\AppData \Roaming \Microsoft \Crypto\Keys.However, if thesecertificatesare
removed fromthis folder, it's impossible todecryptmessages thatwereencrypted withan expired certificate.
and finallythirdquestion:the number ofcredentialbyauthorized useris limited(2000by default).However, how to
manageitover the long term?Althoughthe valueseemshigh,it isonly intended toincreaseover the years.Knowing
thatevery90 daysa newDPAPIkey isassigned to the user . That, what happen when the limit is riched ? Credential roaming stopped andthere isno
alternative but toincrease this limit?
thanks for reading this !