Security

There is a system cert store and a user store. Machine certs are stored in the system store and user certs are stored in the user store.

cappalli, what if the domain user is logging in from another computer? Do you mean to say the certificate of every single user is stored in the user store on EVERY SINGLE MACHINE IN THE DOMAIN?

In practice, it is worse than that...  Typically user certificates are only distributed via group policy when that user logs in successfully via a wired computer.  The user would have had to login to a wired computer to even have the certificate distributed to the user's profile before using it wirelessly.  That is why many secure environments only have wireless eap-tls with machine certificates and machine-only wireless authentication...  Having a multi-user device with wireless user certificates is a headache to provision in practice for multiple user.

Thank you cjoseph but that doesn't answer the question.

The machine cert is unique per device. The user cert is downloaded into the user cert store after the user logs in. This can cause complications when using machine + user authentication because the first time a user authenticates, the certificate is not available until after the login process completes.

cappalli I'm still confused. If by simply logging into the domain with his username and password he will get a certificate, then what's the point of a user certificate? Isn't the whole idea of a user certificate to authenticate the user?

For the network, yes. To use a certificate to log on to the machine itself, you'd need to use a smartcard.