Credential roaming allows organizations to store certificates and private keys in Active Directory Domain Services (AD DS) separately from application state or configuration information.

How credential roaming works

Credential roaming uses existing logon and autoenrollment mechanisms to securely download certificates and keys to a local computer whenever a user logs on and, if desired, remove them when the user logs off. In addition, the integrity of these credentials is maintained under any conditions, such as when certificates are updated and when users log on to more than one computer at a time.

The following steps describe how digital credential roaming works.

  1. A user logs on to a client computer that is connected to an Active Directory domain.

  2. As part of the logon process, credential roaming Group Policy is applied to the user's computer.

  3. If this is the first time that credential roaming is being used, the certificates in the user's store on the client computer are copied to AD DS.

  4. If the user already has certificates in AD DS, the certificates in the user's certificate store on the client computer are compared to the certificates stored for the user in AD DS.

  5. If the certificates in the user's certificate store are current, then no further action is taken. However, if more recent certificates for the user are stored in AD DS, then these credentials are copied to the client computer. If more recent certificates for the user are stored on the client computer, then these credentials are copied to AD DS.

  6. If additional certificates are needed on the client computer, outstanding certificate autoenrollment requests are processed.

    Note

    Newly issued certificates are stored in the certificate store on the client computer and replicated to AD DS.

  7. When the user logs on to another client computer connected to the domain, the same Group Policy setting is applied, and credentials are once again replicated from AD DS. Credential roaming synchronizes and resolves any conflicts between certificates and private keys from any number of client computers that the user logs on to, as well as in AD DS.

    Important

    In multi-domain environments and domains with multiple domain controllers, credentials may not be immediately available when a user logs on to the network by using one domain controller shortly after being issued a certificate on a computer that validates the user's identity against a different domain controller. The credentials will only become available after replication has been completed between the two domains or domain controllers.

  8. When the user's certificate expires, the old certificate is automatically archived in the user's profile on the computer and in AD DS.

Credential roaming is triggered any time a private key or certificate in the user's local certificate store changes, whenever the user locks or unlocks the computer, and whenever Group Policy is refreshed.

All certificate-related communication between components on the local computer and between the local computer and AD DS is signed and encrypted.