MicrosoftHi!
Had anybody solved the problem with GC replication latency and certificate autoenrollment in combination with the new SAN extenstion?
Consider the following scenario:
a) you have a complex AD forest structure with multiple subdomains and GCs located in all domains.
b) your Enterprise CA is located in the root domain, so it uses GCs from this domain to get information needed for certificated issuance.
c) you have configured certificate autoenrollment via GPO (or other method) for your domain joined workstations
d) you install your workstations (joined into several subdomains of your forest) with a temporary name and rename them in a final deployment step
The reboot after renaming the computer triggers a new certificate auto-enrollent request.
If this is a new workstation name, the CA will issue a cert once it can resolve the computer via it's GC queries. Here you have only a certain delay until you receive a valid and matching cert on your workstation.
If the computer name was already in use previously the old computer object in AD must be deleted before your can rename the computer to it's final name.
If you delete the object in the subdomain and rename the computer just a few seconds later (which is very likely in automated deployments), the new cert requests will be successful immediately - BUT - the cert will have a SID from the previous computer object in its SAN attribute, because the new AD information is not yet replicated back to the GCs in the root domain!
Now you have an only "partly valid" cert on your workstation!
Once you force stronger cert validation methods your device account will no longer be validated successfully!
e.g. during 802.1x certificate based authentication the device will no longer be authenticated and network access is denied!
Franz
