Credential Roaming is the replacement or alternative to using Roaming Profiles (or RUP - Roaming User Profiles). The biggest drawback to using RUP has always been that the profile tends to grow bigger as time goes by (raise your hand if you've ever saved a file on your desktop).
One of the primary reasons for using RUP has been to allow users to log on to different workstations or servers and let their credentials (certificates, keys, etc.) roam with them. using RUP with multiple workstations at the same time is however not a practical setup (you'll likely end up with conflicts when the two profiles get reconciled at logoff).
The workaround of using Folder Redirection to redirect the users' home folders, desktop and documents partially addresses the issue but the remaining challenge is how to get your certificates and keys to roam with the user. This is where Credential Roaming (CR) comes into the picture, as it allows you to roam credential data while using Local Profiles for users.
There are however, some caveats that should be considered before implementing Credential Roaming:
- The NTDS.dit database on your DC’s *will* grow. Exactly how much it will grow will depend on how much credential data your users have and how many users you enable CR for.
- Many applications use relatively short-lived keys that will also be roamed by CR They will be roamed while they are valid + the duration that you specify in Maximum Tombstone Credentials Lifetime in Days. This will increase as more applications start using CryptoAPI to store user data.
- The default limit for the amount of roamed credentials for each user is 128 Mb. This is calculated from the default maximum amount of roamed credentials or tokens (DIMSRoamingMaxNumberTokens which defaults to 2000) multiplied by the default maximum size for each token (DIMSRoamingMaxTokenSize which defaults to 64k).
Modifying the defaults is certainly an option but you need to weigh the pros and cons of doing so and examine the current requirements of your users, set the values too low and Credential Roaming will stop for a user that reaches the limits.
A typical token today (public or private key) is around 2k, this will vary depending on key size and contents (see table below). In addition to this, a new DPAPI master key will be created at every password change and this will roam as well.
Given the numbers above, it is not unreasonable to estimate that you could potentially be looking at an NTDS.dit growth (sometimes also referred to as NTDS.dit bloat) that could double or triple the current size of the Active Directory database on the DC’s if you enable Credential Roaming for all users and have applications that are heavy users of CryptoAPI.
Configuring and Troubleshooting Certificate Services Client–Credential Roaming http://technet.microsoft.com/en-us/library/cc700848.aspx Support Webcast: Credential Roaming Basics http://support.microsoft.com/?id=935441
Before deploying Group Policy to enable credential roaming for client computers, it is highly recommended that you plan the estimated growth of the Active Directory database.
Every item that is able to roam with Credential Management Services needs to be stored in a user object. This causes growth of the user object.
The following table shows estimated sizes of tokens. Remember that the size of certificates will vary depending on the attributes that are part of a certificate. You may have to examine the sizes of customized certificates by yourself. One way to determine the size of a certificate is to export it to a file with the Certificate Manager MMC Snap-In.
512-bit RSA key
Approximately 1 kilobyte (KB); the size may vary depending on the CSP
1024-bit RSA key
Approximately 1.5 KB; the size may vary depending on the CSP
2048-bit RSA key
Approximately 2 KB; the size may vary depending on the CSP
Approximately 2 KB; the size will vary depending on the number of attributes and the information stored in the attributes. A long distinguished name or common name will extend the size of a certificate, for example.
Approximately 1 KB; the size will vary depending on the amount of information stored in the certificate request. A long distinguished name or common name will extend the size of a certificate, for example.
DPAPI master key
388 bytes for local user accounts
664 bytes for domain accounts on Windows XP
740 bytes for domain accounts on Windows Vista
DPAPI Preferred file
Store username and password
Approximately 400 bytes
Before deploying credential roaming, you should carefully calculate the amount of data that will be added to your Active Directory domain environment. The following formula provides an upper-bound calculation of how much data your domain controllers have to handle when credential roaming is enabled. The result of the formula is the amount of data in kilobytes that will be stored in Active Directory. The actual amount of data can be less if certificate renewal uses existing key material, for example.
(((CertificateSizeInByte + KeySizeInByte) * (#UserCertificates * #PastCertificateRenewals * #Machines) + (DPAPIkey * ProfileAgeInYears * 4) + DPAPIpreferredfile + (#StoredUserNamesAndPasswords * 400)) / 1024
Formula Parameters Description
This parameter represents the size of a certificate. Calculate the sum of certificate sizes if a user has multiple certificates.
This parameter represents the size of a key. Calculate the sum of key sizes if a user has multiple keys.
This is the number of certificates that users hold. Users may have enrolled for more certificates than the number of certificate templates for which they have enrollment permissions if manual enrollment was performed.
This parameter represents the number of certificate renewals. If you have different renewal intervals, you have to calculate the total number of certificates for each certificate type individually.
This is the number of computers users log on to while certificate roaming is enabled. After enabling certificate roaming, Certificate Management Services will synchronize any locally existing certificates with the user's Active Directory object.
The DPAPIkeySizeInKByte is 664 or 740 bytes.
The age of a user profile has an impact on the number of DAPI master keys that exist. A new DPAPI master key is generated every 90 days so that four DPAPI master keys are created per year.
The DAPIpreferredfile has a fixed size of 24 bytes.
This is the number of credentials that are maintained with credential manager. A user may have stored account credentials to access Web sites or file servers.
You also have to consider that the byte amount of roaming credentials applies per user so that you have to multiply the amount per user by the number of users that are participating in credential roaming. Imagine that if you have deployed a certificate for EFS, one for S/MIME encryption, and one for S/MIME signing per user two years ago. The default validity time of a certificate is one year. You assume a profile age of three years. An average user was logged on to two computers in this example. Since the number of stored user names and passwords is a bit unpredictable, you assume 10 stored user names and passwords per user.
((2048 + 1536) * (3 * 2 * 2) + (664 * 3 * 4) + 24 + (10 * 400)) / 1024 = 54 Kbyte per user (rounded)
If you deploy Group Policy for credential roaming at a domain level to 10,000 users, during the logon hours between 7 A.M. and 9 A.M., for example, approximately 540 MB of roaming credentials have to be carried by your domain controllers. Also, consider the additional Active Directory replication traffic that will occur.
Depending on your domain controller infrastructure, it might be a wise to deploy Group Policy to enable credential roaming in parts. Even if applied at a domain level, you can use a security group or a WMI query to control the appliance of Group Policy.
Note The amount of roaming data will grow slowly when new certificates are enrolled, new DAPI master keys are created, or a user adds a stored user name with password to credential manager. However, since these events trigger over time, heavy load on the domain controllers is not expected.
Thank you for the very informative post. I have one additional question though: In your formula, does the #UserCertificates
variable also include certificates in the "other persons" store?
#UserCertificates should technically apply to any store that Credential Roaming roams.... that should include Trusted People, Other Users, Certificate Enrollment requests, etc.
Thanks instan. I have one more question: Does the GPO for credential roaming have to be applied at the domain level, or can I apply it to one or more specific OUs in the domain (and not the domain as a whole)?
It should not be a problem to apply credential roaming at the OU level - should be easy to try out in your lab environment to confirm it :)
Thanks instan. Works like a charm!
See also the following Windows 7 hotfix that slightly changes the scope of what data credential roaming roams from Windows 7 clients:
AD DS database size increases significantly when the Credential Roaming feature is enabled in Windows 7 or in Windows Server 2008 R2
I got one basic question: Does credential roaming appplied to computers certicates? eg wifi certificates?
no, only user credentials roam.
Hi, Can you manage the certificates from AD? Is there any place that I can see them? Or just are in the NTDS.DIT file? Thanks!