Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Description of the Credential Roaming service update for Windows Server 2003 and for Windows XP


View products that this article applies to.

Introduction

This article describes a Microsoft Windows Server 2003 post-Service Pack 1 (SP1) update to the Credential Roaming service. The Credential Roaming service was formerly named the Digital Identity Management service (DIMS). This update includes changes to the Credential Roaming service that have been made for Microsoft Windows Vista. This update also applies to Microsoft Windows XP Service Pack 2 (SP2).

↑ Back to the top


More information

Windows Server 2003 service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Windows Server 2003 update information

A supported feature that modifies the default behavior of the product is available from Microsoft. However, this feature is intended to modify only the behavior that this article describes. Apply this feature only to systems that specifically require it. This feature might receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next software update that contains this feature.

If the feature is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the feature.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific feature. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the feature is available. If you do not see your language, it is because the feature is not available for that language.

Prerequisites

You must have Windows Server 2003 SP1 installed.

Restart requirement

You must restart the computer after you apply this update.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003, Itanium-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.2.3790.27211,464,83210-Jun-200604:46IA-64SP1SP1QFE
Dimsntfy.dll5.2.3790.272152,73610-Jun-200604:46IA-64SP1SP1QFE
Dimsroam.dll5.2.3790.2721116,73610-Jun-200604:46IA-64SP1SP1QFE
Pautoenr.dll5.2.3790.2721198,14410-Jun-200604:46IA-64SP1SP1QFE
Wcertmgr.dll5.2.3790.2721478,72010-Jun-200604:46x86SP1WOW
Wdimsntfy.dll5.2.3790.272119,45610-Jun-200604:46x86SP1WOW
Wdimsroam.dll5.2.3790.272140,44810-Jun-200604:46x86SP1WOW
Wpautoenr.dll5.2.3790.272175,26410-Jun-200604:46x86SP1WOW
Windows Server 2003, x64-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.2.3790.2721751,10410-Jun-200604:45x64SP1SP1QFE
Dimsntfy.dll5.2.3790.272128,67210-Jun-200604:45x64SP1SP1QFE
Dimsroam.dll5.2.3790.272164,51210-Jun-200604:45x64SP1SP1QFE
Pautoenr.dll5.2.3790.2721113,66410-Jun-200604:45x64SP1SP1QFE
Wcertmgr.dll5.2.3790.2721478,72010-Jun-200604:46x86SP1WOW
Wdimsntfy.dll5.2.3790.272119,45610-Jun-200604:46x86SP1WOW
Wdimsroam.dll5.2.3790.272140,44810-Jun-200604:46x86SP1WOW
Wpautoenr.dll5.2.3790.272175,26410-Jun-200604:46x86SP1WOW
Windows Server 2003, x86-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.2.3790.2721478,72010-Jun-200604:29x86SP1SP1QFE
Dimsntfy.dll5.2.3790.272119,45610-Jun-200604:29x86SP1SP1QFE
Dimsroam.dll5.2.3790.272140,44810-Jun-200604:29x86SP1SP1QFE
Pautoenr.dll5.2.3790.272175,26410-Jun-200604:29x86SP1SP1QFE

Windows XP update information

A supported feature that modifies the default behavior of the product is available from Microsoft. However, this feature is intended to modify only the behavior that this article describes. Apply this feature only to systems that specifically require it. This feature might receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next software update that contains this feature.

If the feature is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the feature.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific feature. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the feature is available. If you do not see your language, it is because the feature is not available for that language.

The supported feature includes the ADM template for Credentials Roaming Group Policy settings.

Prerequisites

You must have Windows XP SP2 installed.

Restart requirement

You must restart the computer after you apply this update.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.1.2600.2914457,21623-May-200611:54x86SP2SP2QFE
Dimsntfy.dll5.1.2600.291419,45623-May-200611:54x86SP2SP2QFE
Dimsroam.dll5.1.2600.291439,93623-May-200611:54x86SP2SP2QFE
Pautoenr.dll5.1.2600.291467,58423-May-200611:54x86SP2SP2QFE

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.

↑ Back to the top


More information

This section describes the changes that have been made to the Credential Roaming service.

Credential roaming does not delete certificates that cannot be validated

Windows Vista includes support for credential roaming and for new cryptographic algorithms that are not supported in earlier versions of Windows. Because of this combination of features, a user may autoenroll for a certificate in Windows Vista and then the user may log on to an earlier version of Windows that cannot parse the certificate. In Windows Server 2003 SP1, credential roaming deletes a credential from the Active Directory directory service user store if the digital certificate cannot be validated.

This update prevents credential roaming from deleting the certificate from the Active Directory user store in Windows XP or in Windows Server 2003. If certificate validation fails during the autoenrollment process, credential roaming verifies that the certificate has not expired. If the certificate has expired, it is deleted from Active Directory together with the associated private key. If the certificate has not expired, no action is taken.

Credential roaming will ignore read-only domain controllers

A read-only domain controller (RODC) is a new feature that is planned for Microsoft Windows Server 2008. A RODC can be deployed in a branch office environment where users may require authentication services but users are not expected to change objects that are stored in Active Directory.

Credential roaming requires that the user's credential store be synchronized with Active Directory during various user-initiated actions such as logon, lock workstation, and unlock workstation actions. Therefore, credential roaming will ignore RODCs. The Credential Roaming service will always look for a writeable domain controller, even if the service must to go across a wide area network (WAN) link.

Credential roaming will not be used when using EFS to encrypt files on a file server

Credential roaming requires that the user log on interactively. Encrypting a file on a file server from a workstation is considered a network logon. Therefore, credential roaming does not load the user's certificates and keys on the file server. The file on the file server is encrypted with a new self-signed certificate or a with new certificate that is issued by an internal Windows-based certification authority.

Conflict resolution logic has been simplified

In Windows Server 2003 SP1, credential roaming offers several policies that enable the administrator to dictate what types of certificates and keys can roam with a particular user. These policies could introduce conflicts if a user imports the same certificate and the same private key on two different workstations and if the workstations have different settings for the certificate and for the private key. For example, a problem can occur if the certificate and the private key are exportable on one workstation and not on the other workstation. A problem may also occur if the certificate and the private key have strong private key protection on one workstation but not on the other workstation.

To resolve this issue, conflict resolution has been changed in this update so that the data in Active Directory is updated with what was last written to the object. For example, if two different workstations update the object in Active Directory, the second update overwrites the first update.

Windows XP SP2 and Windows Server 2003 SP1 support

A version of this update is available for Windows XP Service Pack 2 (SP2). If you install this update in Windows XP, users can use roaming certificates and roaming keys on multiple Windows XP SP2-based computers. If you expect users to use certificates and keys on Windows Server 2003 SP1-based computers and on Windows XP SP2-based computers, we strongly recommend that you also deploy this update on the Windows Server 2003 SP1-based computers. This step makes sure that the same credential roaming functionality is deployed enterprise-wide.

Note For information about how to configure and deploy credential roaming, visit the following Microsoft Web site:

↑ Back to the top


Keywords: kbqfe, kbautohotfix, kbwinserv2003sp2fix, kbwinxppresp3fix, kbwinserv2003presp2fix, kbbug, kbfix, kbhotfixserver, KB907247

↑ Back to the top

Article Info
Article ID : 907247
Revision : 4
Created on : 10/9/2011
Published on : 10/9/2011
Exists online : False
Views : 1494