Microsoft KB Archive/907247

= Description of the Credential Roaming service update for Windows Server 2003 and for Windows XP =

Article ID: 907247

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional

-





INTRODUCTION
This article describes a Microsoft Windows Server 2003 post-Service Pack 1 (SP1) update to the Credential Roaming service. The Credential Roaming service was formerly named the Digital Identity Management service (DIMS). This update includes changes to the Credential Roaming service that have been made for Microsoft Windows Vista. This update also applies to Microsoft Windows XP Service Pack 2 (SP2).



Windows Server 2003 service pack information
To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Prerequisites
Windows Server 2003 SP1

Restart requirement
You must restart the computer after you apply this update.

File information
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows XP update information
A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Windows XP service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
Windows XP SP2

Restart requirement
You must restart the computer after you apply this update.

File information
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Windows Server 2003 Service Pack 2.



MORE INFORMATION
This section describes the changes that have been made to the Credential Roaming service.

Credential roaming does not delete certificates that cannot be validated
Windows Vista includes support for credential roaming and for new cryptographic algorithms that are not supported in earlier versions of Windows. Because of this combination of features, a user may autoenroll for a certificate in Windows Vista and then the user may log on to an earlier version of Windows that cannot parse the certificate. In Windows Server 2003 SP1, credential roaming deletes a credential from the Active Directory directory service user store if the digital certificate cannot be validated.

This update prevents credential roaming from deleting the certificate from the Active Directory user store in Windows XP or in Windows Server 2003. If certificate validation fails during the autoenrollment process, credential roaming verifies that the certificate has not expired. If the certificate has expired, it is deleted from Active Directory together with the associated private key. If the certificate has not expired, no action is taken.

Credential roaming will ignore read-only domain controllers
A read-only domain controller (RODC) is a new feature that is planned for Microsoft Windows Server Code Name &quot;Longhorn.&quot; A RODC can be deployed in a branch office environment where users may require authentication services but users are not expected to change objects that are stored in Active Directory.

Credential roaming requires that the user's credential store be synchronized with Active Directory during various user-initiated actions such as logon, lock workstation, and unlock workstation actions. Therefore, credential roaming will ignore RODCs. The Credential Roaming service will always look for a writeable domain controller, even if the service must to go across a wide area network (WAN) link.

Conflict resolution logic has been simplified
In Windows Server 2003 SP1, credential roaming offers several policies that enable the administrator to dictate what types of certificates and keys can roam with a particular user. These policies could introduce conflicts if a user imports the same certificate and the same private key on two different workstations and if the workstations have different settings for the certificate and for the private key. For example, a problem can occur if the certificate and the private key are exportable on one workstation and not on the other workstation. A problem may also occur if the certificate and the private key have strong private key protection on one workstation but not on the other workstation.

To resolve this issue, conflict resolution has been changed in this update so that the data in Active Directory is updated with what was last written to the object. For example, if two different workstations update the object in Active Directory, the second update overwrites the first update.

Windows XP SP2 and Windows Server 2003 SP1 support
A version of this update is available for Windows XP Service Pack 2 (SP2). If you install this update in Windows XP, users can use roaming certificates and roaming keys on multiple Windows XP SP2-based computers. If you expect users to use certificates and keys on Windows Server 2003 SP1-based computers and on Windows XP SP2-based computers, we strongly recommend that you also deploy this update on the Windows Server 2003 SP1-based computers. This step makes sure that the same credential roaming functionality is deployed enterprise-wide.

Note For information about how to configure and deploy credential roaming, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/Library/2205530f-fa9a-4f2c-a0f0-5bea36dc57471033.mspx?mfr=true

Keywords: kbbug kbfix kbqfe kbpubtypekc kbwinxppresp3fix kbhotfixserver kbwinserv2003presp2fix kbwinserv2003sp2fix KB907247

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.