Credential roaming: is it worth the hassle? (Part 1)

Credential roaming is the ability of a Windows Server PKI infrastructure to support roaming certificates from a Windows computer to another Windows computer, according to where a user is logged on. The way it works is as follows: when a user requests a certificate, its local operating system generates a private and public key and, using a secure channel between the computer and the CA, it uploads the private key and the signed request to the CA. The private key is securely stored in Active Directory and can later be downloaded to any PC that a domain user logs on to.

All this is fine and dandy and, based on specs, it is the perfect solution for users that tend to use a multitude of computers for their business use. However, setting up the infrastructure to support it is not as easy as one would have thought. In this post, we will take a look at some of the disadvantages and difficulties of credential roaming. In the post to follow, we will make some more general observations as well as offer some alternatives to credential roaming. So, to cut a long story short, credential roaming:

  • Demands a complicate (but not very time-consuming) procedure of installation and use, as well as many scenarios to be tested to make sure it works as expected.
  • Extends the physical size of the Active Directory database, according to the issued certificates to be roamed. If the service is extended to a few hundred or thousands of certificates, we may have an AD database which will grow to a few hundred MBs larger. Accordingly, the AD backup/restore time will be bigger, the AD database will become more fragmented etc. Microsoft Support has been involved in many support cases where a sudden increase of the Active Directory database has been attributed to the activation of credential roaming.
  • Demands Windows XP SP3 or Windows XP SP2 with a specific update, Windows Vista , 7 or 8. It does not support other operating systems (for example, mobile OSs).
  • Needs difficult and time-consuming troubleshooting techniques for Windows XP (Vista/7 use CAPI2 logging, so it’s easier there).
  • Increases the organization’s attack vector. In case we don’t use enhanced security measures at the PCs that will use private key actions (i.e., lock workstation, Bitlocker protection, users’ security training etc.), using multiple points where certificates are accessible and used, we multiply the possibility of someone extracting the private key(s).
  • Poses problems in network EFS encryption. Under normal circumstances, credential roaming does not work as expected, due to the nature of the logon that it supports (credential roaming: local logon, network shares: network logon). The specific limitation is described in KB907247 (in Credential roaming will not be used when using EFS to encrypt files on a file server). EFS (and EFS using credential roaming) has not been designed to work with network shares, but only for local encryption. Some workarounds exist, such as using Roaming profiles instead of credential roaming (KB837359), use Offline Files and local encryption of the cache, use of web folders (in Remote EFS Operations on File Shares and Web Folders).