I've been responsible for setting up a PKI using Certificate Services to be used for Wireless Authentication. I've created I guess what you'd call a "stock standard" two-tier hierarchy based on Windows Server 2008 R2. I have a Standalone Root CA, which has issued a Root Certificate to an Enterprise Subordinate CA (the issuing CA) - this second server is Enterprise Edition.
I've duplicated both the Computer and User templates (using Server 2003 Enterprise Templates) and for the respective certificates I have enabled READ, ENROL and AUTOENROLL permissions for Domain Computers and Domain Users groups. I've enabled these two templates for issuing and removed all others (not completely, just from issuing). I've then created a GPO which is ONLY enabling the Autoenrollment of the certificate (one GPO for computer, one for user). These are only linked to test OUs with one computer and two users.
The computer I am testing on is a Windows XP SP3 computer in the domain (same domain as the CAs). The computer certificate I created has correctly issued a single certificate to this PC (and re-issued another certificate after testing revocation). All happy with this.
BUT - the user account I have been using to test seems to be generating multiple certificates for a single user. I believe some of this has happened cause I've used this user to log into machines that the computer certificate GPO is not applied to (so another computer cert, but not another computer cert). But 2 certificates were issued in the middle of the night when I was not around. When NO ONE was around.
So, I wanting to ask two things:
1. Is it OK for the CA to show multiple user certificates for the same user based on it having actually logged into multiple machines (certificate template says to store in AD)?
2. Is there anyway to tell where the request for these user certificates came from? i.e. maybe someone has used the account for some service or something like that.
I hope this is somewhat clear. Certificate Services installations is not something that you do very often, so I've not really had a lot of experience with it (yet!!). Hoping someone might have some ideas.
Thanks
Matthew