Re: Enabling a Certificate template

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 12/31/04

  • Next message: Steven L Umbach: "Re: Thankyou in advance" 
    Date: Fri, 31 Dec 2004 22:24:04 GMT

    OK. I would suggest that when you create the new template that you might
    want to consider that the private keys not be exportable so that they can
    not export their certificate/private key unless there is a particular need
    for such. Also by default you will need to have an email address in each
    user's account properties in AD that will be included on the certificate. If
    you do not have a need for that, you can remove that requirement from the
    template you create also under subject name. Users on Windows 2000 computers
    and earlier can not obtain a certificate via autoenrollment [version 1
    computer certificates can be obtained via automatic request]. Keep in mind
    that by default any domain user can add up to ten workstations to the domain
    which means that a domain user could possibly join an unauthorized computer
    to the domain and they automatically obtain certificates via autoenrollment.
    You can mitigate that by removing authenticated users from the add
    workstations to the domain user right in "Domain Controller" Security Policy
    and also by not enabling autoenrollment at the domain level but at the
    Organizational Unit instead where the computer and user accounts would need
    to be. Permissions for autoenrollment can also be given to computers. Domain
    computers are members of authenticated users also but you could create a
    domain global group and add the authorized domain computers to that group
    for autoenrollment permissions for computer certificate instead of
    authenticated users or domain computers. The links below may be
    elpful. --- Steve

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx

    "awib" <awib@discussions.microsoft.com> wrote in message
    news:38B9BEDC-AF4F-4E78-86EC-F0C6FCAB9EAE@microsoft.com...
    > Hi Steve, as per my reply to Mike, I will check re Enterprise.
    > Autoenrollment
    > is going to be something of a requirement for me as I wish to get 30 or so
    > laptops connecting under 802.1x, with the minimum intervention by user. I
    > do
    > not mind setting up laptops with certificates by hooking up via ethernet,
    > so
    > long as I can enable my clients (school kids in this case) to logon to the
    > network. This of course means that the laptops wil need to establish a
    > secure
    > wireless link prior to logging on.
    >
    > "Steven L Umbach" wrote:
    >
    >> As Mike indicated the CA needs to be running on Windows 2003 Server
    >> Enterprise. If it is not you can still issue computer and user
    >> certificates
    >> but you can not use autoenrollment. Computer certificates can be issued
    >> automatically via Group Policy automatic request and users can request
    >> certificates via Web Enrollment or mmc certificate snapin for users.
    >> Using
    >> automatic request for computer certificates via Group Policy can be
    >> helpful
    >> because otherwise a user of a computer must be a local administrator to
    >> install a computer certificate to the computer store on their
    >> computer.---
    >> Steve
    >>
    >>
    >> "awib" <awib@discussions.microsoft.com> wrote in message
    >> news:4AA93246-6DF5-47BB-94A3-2F993333B1D8@microsoft.com...
    >> > Hi, following the white paper: Windows Server 2003, "Step-by-step guide
    >> > for
    >> > setting up secure wireless access in a test lab"
    >> > To help me setup EAP-TLS, I am following this guide.
    >> > After creating a certificate template for wireless users by copying the
    >> > exisiting User template with the "Certificate Templates" snap in,
    >> > modifying
    >> > the domain users permissions etc, I find that the template does not
    >> > appear
    >> > in
    >> > the list when I use the "Certification authority" snap in "Action / New
    >> > Certificate Template to issue", for what it matters, neither do a few
    >> > others
    >> > that were visible from the "Certificate templates" snap-in.
    >> > EAP-PEAP is working fine, but i want to issue certificates to devices
    >> > to
    >> > help reduce authentication overhead on users, and improve security re
    >> > restricting devices.
    >> > Any ideas?
    >> >
    >>
    >>
    >>

  • Next message: Steven L Umbach: "Re: Thankyou in advance"

    Relevant Pages

    • Re: Certificate for VPN Client has expired (Computer Certificate)
      ... >> Autoenrollment is used. ... So when users are connected to LAN everything ... and then certificates are not updated. ... > renew/enroll computer certs as W2K only supports ACRS (computer ...
      (microsoft.public.windowsxp.network_web)
    • Re: Certificates for Wireless Networks
      ... The best solution will be to upgrade the CA server to enterprise edition and use autoenrollment, ... The wireless part of the connection is secured using EAP-TLS with user certificates. ...
      (microsoft.public.windows.server.security)
    • Re: Certificates MMC does request the newly added/modified template
      ... > in group policy. ... ACRS only supports V1 certificates and only computer ... templates of version 2 are enrolled automatically when the ... enable autoenrollment of V2 certificate templates you need to enable ...
      (microsoft.public.windows.server.security)
    • Re: Certificates for Wireless Networks
      ... You are growing to the number of workstations where autoenrollment is the ... wireless part of the connection is secured using EAP-TLS with user ... We are using an Enterprise CA to issue the certificates. ...
      (microsoft.public.windows.server.security)
    • Re: autoenrollment/autorenewal
      ... Autoenrollment is not tied to any particular VPN server. ... Policy setting that allows computers and users to automatically receive ... certificates defined in the Group Policy setting. ...
      (microsoft.public.windows.server.security)