Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
Starting in Windows Server 2008 R2, there is an enrollment protocol that is based on WS-Trust and contains two new role services. These services use HTTP-based messaging over a TLS-encrypted transport and they do not depend solely on the Kerberos protocol for authentication. [Note: Using this for enrollment requires Windows 7 or Windows 2008 R2 clients.]
The role services are called:
For Group Policy configured policy settings, you can configure two servers (URLs) as part of the same policy. As a result, both policy server URLs will be functionally equivalent. The client then selects one URL to use, based upon the following rules:
Note: To configure the load balancing behavior described below, Group Policy configured settings must be used. User configured policies do not enable multiple URLs to be configured as part of the same policy.
i. The URI is selected based on authentication type, in the following order: Kerberos, Anonymous, Username/Password cached in the vault or Client Auth Certificate cached in the vault, Username/Password or Client Auth Certificate.
ii. If all properties are equal then a URI is randomly selected.
Once a policy server is selected there may be multiple enrollment servers to choose from. The client will pick an enrollment server as follows: