Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server

From: Rodrigo Blanco (rodrigo.blanco.r_at_gmail.com)
Date: 08/12/05

Next message: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"

Previous message: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Maybe in reply to: Rodrigo Blanco: "IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Next in thread: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Reply: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 12 Aug 2005 08:49:27 +0200
To: Todd Stecher <tstecher@uswest.net>

Hello Todd,

in fact, it is most likely that I will not be able to go for an
Enterprise CA because of political factors (internal customer
politics, the AD is managed by different departments, and so on), so
it is not really due to technical reasons... Customer is always right,
I guess... :-/

Also, PEAP is not an option for the customer, since users tend to lend
their AD user/password, so EAP-TLS is the only way to ensure that the
workstation is controlled by the organization (only if they have a
valid certificate will they be able to connect).

From what other members of the list have told me, CAPICOM would
require installing CAPICOM components on the users' workstations,
while this may not be so by having cryptoAPI VB / C++ code execute on
the workstations with the AD logon script (libraries already there).
What I have not found is code samples to base my work on, and not
having to develop from scratch.

I do not understand the LDAP modifies to automatically publish to the
AD User Object for TLS mapping. This means that I have to modify the
AD LDAP schema? Is this necessary to have IAS map cetifiates and AD
users?

Thanks a lot and best regards,
Rodrigo.

On 8/12/05, Todd Stecher <tstecher@uswest.net> wrote:
> That's not crazy at all - in fact, for standalone CAs, certreq, xenroll, and
> capicom (or CAPI2.0) are your best options, if you want to emulate
> autoenrollment with a standalone CA. At the very least, you'll want them to
> do the work of creating the certificate request.
>
> You'll likely have to do some LDAP modifies as part of your provisioning, if
> you want to automatically publish to the AD User Object for TLS mapping.
>
> The only real gotcha is the fact that the standalone CAs don't really do
> RPC, but if you know perl (or HTTP programming), that isn't too difficult.
> You may also consider rolling your own CA policy modules (and client) to do
> the dirty work for you, exposing RPC interfaces fit to your purpose. That's
> a bit of work, but I believe its documented in MSDN.
>
> I was a PKI tester at MS during Windows 2000. In fact, I was primarily
> responsible for pulling together a lot of the infrastructure for Ent CA
> <----> AD integration (and smartcard logon, certificate mapping,
> autoenrollment, etc), but that was almost 5 years ago, so forgive me if the
> details are sketchy.
>
> I'm still curious, though, why don't you use enterprise CAs? If your
> clients all are domain entities, this should be easy to pull off even when
> their machines aren't part of the domain through documented RPC mechanisms.
>
> Tx,
> Todd
>
>
>
> -----Original Message-----
> From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> Sent: Monday, August 08, 2005 11:30 PM
> To: offtopic
> Cc: focus-ms@securityfocus.com
> Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
>
> In fact, I was thinking of just using user certificates (no need for
> personal computers to be on-line while noone is logged on), and
> storing them on the profile of each user, on their computer.
>
> And, unfortunately, PEAP is not an option either.
>
> Surfing thorugh MS doc., I had read that through CAPICOM scripts or
> batches using certreq.exe against the MS Certificate Services 2003, it
> is possible to "emulate" (by programming...) the Active Directory 2003
> - Certificate Services 2003 integrated auto-enrollment and
> auto-installation of the users' certificates.
>
> However, I have no idea if this is applicable to Certificate Services
> 2000, if it is a pragmatic solution, and whether it is reasonably easy
> to set up.
>
> Any experience using this tools? Would it be crazy to focus the
> project in this direction?
>
> Thanks again and best regards,
> Rodrigo.
>
> On 8/9/05, offtopic <offtopic@mail.ru> wrote:
> > > - Although the MS Certificate Services are in standalone mode, can I
> > > still configure some auto-enrollment based on the users' AD logon? If
> > > not, what is the best option in order to minimize administrative
> > > effort?
> >
> > No. AFAIK, Only Enterprise CA can be used for auto-enrollment. You can
> choose PEAP MSCHAPv2 for client authentication instead. In this case you
> don't need to manage client-side certificates and revocation.
> > If you need to use client certificates - create new Enterprise Subordinate
> CA for issue client certificates.
> >
> > > - Since MS Certificate Services are in standalone mode, is it possible
> > > to have the IAS server map certificates to AD users
> >
> > You can bind user-to-certificate manually in AD, but I think this is not
> best solution.
> >
> > > If you could point me to any paper or step-by-step guide that can
> >
> >
> http://www.altavista.com/web/results?itag=ody&q=site%3Amicrosoft.com+802.1x+
> step-by-step&kgs=0&kls=0 ????
> >
> >
> > PS. You want to use client certificates, where you will store it? In local
> profile, or on smartcard?
> > Will you authenticate computer or user or both?
> >
> >
> > (c)oded by offtopic@mail.ru
> >
> >
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"

Previous message: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Maybe in reply to: Rodrigo Blanco: "IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Next in thread: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Reply: Todd Stecher: "RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Digital Certificates Concepts needed (newbie to Crypto)
... > authentication via smartcards that will hold client certificates. ... Do we have to have a online connection / request to the CA? ...
(microsoft.public.platformsdk.security)
Digital Certificates Concepts needed (newbie to Crypto)
... authentication via smartcards that will hold client certificates. ... After correct authentication subsequent requests are authorized via ... Do we have to have a online connection / request to the CA? ...
(microsoft.public.platformsdk.security)
RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
... The only real gotcha is the fact that the standalone CAs don't really do ... autoenrollment, etc), but that was almost 5 years ago, so forgive me if the ... auto-installation of the users' certificates. ... > If you need to use client certificates - create new Enterprise Subordinate ...
(Focus-Microsoft)
Re: client certificates
... I'm not sure if you can do #1 with client certificates as that is handled by ... certificates and it only supports that browser. ... private key on the server, so you can't sign anything server side. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: more than only one certificate per server
... A web service using SSL/TLS can accept more than one client certificate, ... one for each customer. ... you can create a CA to sign client certificates. ...
(alt.computer.security)