Understanding credential roaming

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Credential roaming, enabled allows organizations to store certificates and private keys in Active Directory apart from application state or configuration information.

How credential roaming works

Credential roaming uses existing logon, Group Policy, and auto-enrollment mechanisms. These mechanisms make it possible to safely and securely download certificates and keys to a local computer whenever a user logs on and, if desired, remove them when the user logs off. In addition, the integrity of these credentials is maintained under any conditions, such as when certificates are updated and when users log onto more than one computer at a time.

The following steps describe how digital credential roaming works.

  1. A user logs onto a client computer that is connected to an Active Directory domain.

  2. As part of the logon process, credential roaming Group Policy is applied to the user’s computer.

  3. If this is the first time that credential roaming is being used, the certificates in the user's store on the client computer are copied to Active Directory.

  4. If the user already has certificates in Active Directory, the certificates in the user’s certificate store on the client computer are compared to the certificates stored for the user in Active Directory.

  5. If the certificates in the user's certificate store are current, then no further action is taken. However, if more recent certificates for the user are stored in Active Directory, then these credentials are copied to the client computer.

  6. After the user's certificate store on the client computer has been updated, then outstanding certificate auto-enrollment requests are processed.


    • Newly issued certificates are stored in the certificate store on the client and replicated to the domain controller for the domain.
  7. Later, when the user logs onto another client computer connected to the domain, the same Group Policy is applied and credentials are once again replicated from Active Directory. Credential roaming synchronizes and resolves any conflicts between certificates and private keys from any number of client computers that the user logs onto, as well as Active Directory.


    • In multidomain environments and domains with multiple domain controllers, credentials may not be immediately available when a user logs on to the network using one domain controller shortly after being issued a certificate on a computer that validates the user's identity against a different domain controller. The credentials will only become available after replication has been completed between the two domains or domain controllers.
  8. On subsequent logons, the certificate in the local certificate and key stores are compared to the certificates and keys in Active Directory:

    • If the certificates and keys are current, no further action is taken.

    • If the certificates and keys need to be renewed, the certification authority (CA) is contacted from the laptop or workstation, the renewal process occurs and the updated certificates and keys are replicated to Active Directory.

  9. When the user logs onto the other computer, the updated certificates and keys are replicated to the certificate and key stores on this computer as well.

  10. When the user’s certificate expires, the old certificate is automatically archived in the client's profile and in Active Directory.

Credential roaming is triggered any time a private key or certificate in the user’s local certificate store changes, whenever the user locks or unlocks their computer, and whenever Group Policy is refreshed.

All Credential roaming-related communication between components on the local computer and between the local computer and Active Directory is signed and encrypted.