DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 907247 - Last Review: October 9, 2011 - Revision: 4.0

Hotfix Download Available
View and request hotfix downloads
 

On This Page

INTRODUCTION

This article describes a Microsoft Windows Server 2003 post-Service Pack 1 (SP1) update to the Credential Roaming service. The Credential Roaming service was formerly named the Digital Identity Management service (DIMS). This update includes changes to the Credential Roaming service that have been made for Microsoft Windows Vista. This update also applies to Microsoft Windows XP Service Pack 2 (SP2).

MORE INFORMATION

Windows Server 2003 service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100  (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003

Windows Server 2003 update information

A supported feature that modifies the default behavior of the product is available from Microsoft. However, this feature is intended to modify only the behavior that this article describes. Apply this feature only to systems that specifically require it. This feature might receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next software update that contains this feature.

If the feature is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the feature.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific feature. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the feature is available. If you do not see your language, it is because the feature is not available for that language.

Prerequisites

You must have Windows Server 2003 SP1 installed.

Restart requirement

You must restart the computer after you apply this update.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003, Itanium-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.2.3790.27211,464,83210-Jun-200604:46IA-64SP1SP1QFE
Dimsntfy.dll5.2.3790.272152,73610-Jun-200604:46IA-64SP1SP1QFE
Dimsroam.dll5.2.3790.2721116,73610-Jun-200604:46IA-64SP1SP1QFE
Pautoenr.dll5.2.3790.2721198,14410-Jun-200604:46IA-64SP1SP1QFE
Wcertmgr.dll5.2.3790.2721478,72010-Jun-200604:46x86SP1WOW
Wdimsntfy.dll5.2.3790.272119,45610-Jun-200604:46x86SP1WOW
Wdimsroam.dll5.2.3790.272140,44810-Jun-200604:46x86SP1WOW
Wpautoenr.dll5.2.3790.272175,26410-Jun-200604:46x86SP1WOW
Windows Server 2003, x64-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.2.3790.2721751,10410-Jun-200604:45x64SP1SP1QFE
Dimsntfy.dll5.2.3790.272128,67210-Jun-200604:45x64SP1SP1QFE
Dimsroam.dll5.2.3790.272164,51210-Jun-200604:45x64SP1SP1QFE
Pautoenr.dll5.2.3790.2721113,66410-Jun-200604:45x64SP1SP1QFE
Wcertmgr.dll5.2.3790.2721478,72010-Jun-200604:46x86SP1WOW
Wdimsntfy.dll5.2.3790.272119,45610-Jun-200604:46x86SP1WOW
Wdimsroam.dll5.2.3790.272140,44810-Jun-200604:46x86SP1WOW
Wpautoenr.dll5.2.3790.272175,26410-Jun-200604:46x86SP1WOW
Windows Server 2003, x86-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.2.3790.2721478,72010-Jun-200604:29x86SP1SP1QFE
Dimsntfy.dll5.2.3790.272119,45610-Jun-200604:29x86SP1SP1QFE
Dimsroam.dll5.2.3790.272140,44810-Jun-200604:29x86SP1SP1QFE
Pautoenr.dll5.2.3790.272175,26410-Jun-200604:29x86SP1SP1QFE

Windows XP update information

A supported feature that modifies the default behavior of the product is available from Microsoft. However, this feature is intended to modify only the behavior that this article describes. Apply this feature only to systems that specifically require it. This feature might receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next software update that contains this feature.

If the feature is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the feature.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific feature. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the feature is available. If you do not see your language, it is because the feature is not available for that language.

The supported feature includes the ADM template for Credentials Roaming Group Policy settings.

Prerequisites

You must have Windows XP SP2 installed.

Restart requirement

You must restart the computer after you apply this update.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certmgr.dll5.1.2600.2914457,21623-May-200611:54x86SP2SP2QFE
Dimsntfy.dll5.1.2600.291419,45623-May-200611:54x86SP2SP2QFE
Dimsroam.dll5.1.2600.291439,93623-May-200611:54x86SP2SP2QFE
Pautoenr.dll5.1.2600.291467,58423-May-200611:54x86SP2SP2QFE

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.

MORE INFORMATION

This section describes the changes that have been made to the Credential Roaming service.

Credential roaming does not delete certificates that cannot be validated

Windows Vista includes support for credential roaming and for new cryptographic algorithms that are not supported in earlier versions of Windows. Because of this combination of features, a user may autoenroll for a certificate in Windows Vista and then the user may log on to an earlier version of Windows that cannot parse the certificate. In Windows Server 2003 SP1, credential roaming deletes a credential from the Active Directory directory service user store if the digital certificate cannot be validated.

This update prevents credential roaming from deleting the certificate from the Active Directory user store in Windows XP or in Windows Server 2003. If certificate validation fails during the autoenrollment process, credential roaming verifies that the certificate has not expired. If the certificate has expired, it is deleted from Active Directory together with the associated private key. If the certificate has not expired, no action is taken.

Credential roaming will ignore read-only domain controllers

A read-only domain controller (RODC) is a new feature that is planned for Microsoft Windows Server 2008. A RODC can be deployed in a branch office environment where users may require authentication services but users are not expected to change objects that are stored in Active Directory.

Credential roaming requires that the user's credential store be synchronized with Active Directory during various user-initiated actions such as logon, lock workstation, and unlock workstation actions. Therefore, credential roaming will ignore RODCs. The Credential Roaming service will always look for a writeable domain controller, even if the service must to go across a wide area network (WAN) link.

Credential roaming will not be used when using EFS to encrypt files on a file server

Credential roaming requires that the user log on interactively. Encrypting a file on a file server from a workstation is considered a network logon. Therefore, credential roaming does not load the user's certificates and keys on the file server. The file on the file server is encrypted with a new self-signed certificate or a with new certificate that is issued by an internal Windows-based certification authority.

Conflict resolution logic has been simplified

In Windows Server 2003 SP1, credential roaming offers several policies that enable the administrator to dictate what types of certificates and keys can roam with a particular user. These policies could introduce conflicts if a user imports the same certificate and the same private key on two different workstations and if the workstations have different settings for the certificate and for the private key. For example, a problem can occur if the certificate and the private key are exportable on one workstation and not on the other workstation. A problem may also occur if the certificate and the private key have strong private key protection on one workstation but not on the other workstation.

To resolve this issue, conflict resolution has been changed in this update so that the data in Active Directory is updated with what was last written to the object. For example, if two different workstations update the object in Active Directory, the second update overwrites the first update.

Windows XP SP2 and Windows Server 2003 SP1 support

A version of this update is available for Windows XP Service Pack 2 (SP2). If you install this update in Windows XP, users can use roaming certificates and roaming keys on multiple Windows XP SP2-based computers. If you expect users to use certificates and keys on Windows Server 2003 SP1-based computers and on Windows XP SP2-based computers, we strongly recommend that you also deploy this update on the Windows Server 2003 SP1-based computers. This step makes sure that the same credential roaming functionality is deployed enterprise-wide.

Note For information about how to configure and deploy credential roaming, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/Library/2205530f-fa9a-4f2c-a0f0-5bea36dc57471033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/Library/2205530f-fa9a-4f2c-a0f0-5bea36dc57471033.mspx?mfr=true)

APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
Keywords: 
kbautohotfix kbwinserv2003sp2fix kbwinxppresp3fix kbwinserv2003presp2fix kbbug kbfix kbhotfixserver kbqfe KB907247
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support