Credential roaming: is it worth the hassle? (Part 2)

In this second part of our discussion on Credential Roaming, we are going to discuss about its relation to key archival as well as offer some practical alternatives to credential portability.

As we saw in the previous blog post, the capability of “transporting” private keys in Active Directory is one of the basic pillars of the process’s ability to roam credentials. However, this should in no way be seen as a good way of backing them up for future restores. The procedure that should be used for key backup is the Windows PKI process of Key Archival and there is no way of replacing this with credential roaming’s private key “upload” process. In fact, even though private keys do reside inside the AD database, there is no known or supported way of extracting them in any form, in case of disaster recovery procedures. Moreover, if the user deletes his certificate along with his private key from one of his profiles, this deletion will propagate into all other profiles where the certificate has roamed to.

Even though it has already been mentioned in the previous blog post, it is worth noting that an easy and quick workaround for credential roaming is the use of roaming user profiles, which (of course) involves a lot more administrative costs and changes in relation to the activation of credential roaming in ΡΚΙ. In accordance to this, the concurrent use of user profile roaming and credential roaming is not supported.

Another workaround (although not as automated as Credential Roaming) is the storage of certificates and private keys in a smart card. This solution does make the user’s credentials available in every PC that he logs on to, however it assumes smart card hardware availability (this can also be a USB-based token) and also assumes a planned or existing smart card infrastructure, which does come with high deployment and administrative costs. However, a carefully planned and executed smart card deployment can furthermore be used for other applications, like VPN remote access, local computer and RDP user login etc. In general, and independently of the fact that a smart card deployment is a good alternative to credential roaming, the use of smart cards is recommended in all medium- & high-security PKI deployments, as many security officers are not happy with the storage of private leys inside an operating system (inside non-dedicated devices, in general).