Re: Enabling a Certificate template

From: awib (awib_at_discussions.microsoft.com)
Date: 01/04/05 

Date: Tue, 4 Jan 2005 03:33:02 -0800

Hi Steven,
thanks for that, after checking this am, of course I am running Server 2003
standard.
Can I just run past you again what i want to do.
I want any authorised user in the active directory to be able to log over
wireless connaction to the domain via an "authorised lap top", It was my
intention to "pre authorise" the laptop with a certificate issued by the
certifacte authority (this being the EAP-TLS bit). The authentication on the
domain would require both the laptops certificate and the users domain login
to be valid.
I was proposing to use Radius of course to manage the certificate
authentication to the device, and allow my users to authenticate with ads
over the top of that. Preferably at the point of loging on to the laptop.
For the certification service to work in this way requires Server
Enterprise. Can I upgrade the server to the enterprise version (given that
this is for education, the cost is not significant), and will this allow me
to meet my objective.
If not, can I pre-issue a certificate to the laptop as a setup process with
server 2003 standard with GPO, if so how do I create the EAP-TLS certificate.
If I can upgrade, will this require a DCPROMO back to a standalone server
with all that intails etc.

Regards

Andrew

"Steven L Umbach" wrote:

> OK. I would suggest that when you create the new template that you might
> want to consider that the private keys not be exportable so that they can
> not export their certificate/private key unless there is a particular need
> for such. Also by default you will need to have an email address in each
> user's account properties in AD that will be included on the certificate. If
> you do not have a need for that, you can remove that requirement from the
> template you create also under subject name. Users on Windows 2000 computers
> and earlier can not obtain a certificate via autoenrollment [version 1
> computer certificates can be obtained via automatic request]. Keep in mind
> that by default any domain user can add up to ten workstations to the domain
> which means that a domain user could possibly join an unauthorized computer
> to the domain and they automatically obtain certificates via autoenrollment.
> You can mitigate that by removing authenticated users from the add
> workstations to the domain user right in "Domain Controller" Security Policy
> and also by not enabling autoenrollment at the domain level but at the
> Organizational Unit instead where the computer and user accounts would need
> to be. Permissions for autoenrollment can also be given to computers. Domain
> computers are members of authenticated users also but you could create a
> domain global group and add the authorized domain computers to that group
> for autoenrollment permissions for computer certificate instead of
> authenticated users or domain computers. The links below may be
> elpful. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>
> "awib" <awib@discussions.microsoft.com> wrote in message
> news:38B9BEDC-AF4F-4E78-86EC-F0C6FCAB9EAE@microsoft.com...
> > Hi Steve, as per my reply to Mike, I will check re Enterprise.
> > Autoenrollment
> > is going to be something of a requirement for me as I wish to get 30 or so
> > laptops connecting under 802.1x, with the minimum intervention by user. I
> > do
> > not mind setting up laptops with certificates by hooking up via ethernet,
> > so
> > long as I can enable my clients (school kids in this case) to logon to the
> > network. This of course means that the laptops wil need to establish a
> > secure
> > wireless link prior to logging on.
> >
> > "Steven L Umbach" wrote:
> >
> >> As Mike indicated the CA needs to be running on Windows 2003 Server
> >> Enterprise. If it is not you can still issue computer and user
> >> certificates
> >> but you can not use autoenrollment. Computer certificates can be issued
> >> automatically via Group Policy automatic request and users can request
> >> certificates via Web Enrollment or mmc certificate snapin for users.
> >> Using
> >> automatic request for computer certificates via Group Policy can be
> >> helpful
> >> because otherwise a user of a computer must be a local administrator to
> >> install a computer certificate to the computer store on their
> >> computer.---
> >> Steve
> >>
> >>
> >> "awib" <awib@discussions.microsoft.com> wrote in message
> >> news:4AA93246-6DF5-47BB-94A3-2F993333B1D8@microsoft.com...
> >> > Hi, following the white paper: Windows Server 2003, "Step-by-step guide
> >> > for
> >> > setting up secure wireless access in a test lab"
> >> > To help me setup EAP-TLS, I am following this guide.
> >> > After creating a certificate template for wireless users by copying the
> >> > exisiting User template with the "Certificate Templates" snap in,
> >> > modifying
> >> > the domain users permissions etc, I find that the template does not
> >> > appear
> >> > in
> >> > the list when I use the "Certification authority" snap in "Action / New
> >> > Certificate Template to issue", for what it matters, neither do a few
> >> > others
> >> > that were visible from the "Certificate templates" snap-in.
> >> > EAP-PEAP is working fine, but i want to issue certificates to devices
> >> > to
> >> > help reduce authentication overhead on users, and improve security re
> >> > restricting devices.
> >> > Any ideas?
> >> >
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: RPC over HTTP only works with remote computers attached to the domain
    ... > I have an interesting problem with RPC over HTTP. ... > for computers that have been joined to the domain. ... but did you change the Exchange server service ... > Enterprise Certificate Server, Windows SharePoint Services, Internet ...
    (microsoft.public.exchange2000.connectivity)
  • Re: SCCM Client Certificate question..
    ... The cleint will check the certs with the server so it should be ok. ... Also don't i need to import the SCCM Server's Web server certificate to clients? ... If you read my question and business requirements you will see that mixed mode is not for me. ... "The computers that are all over the country are not member of any domain. ...
    (microsoft.public.sms.admin)
  • Re: IAS with WorkGroup machines
    ... My IAS works all fine for domain computers with AD user accounts. ... received the CA's certificate, which was stored in the certificate stores ... To deploy PEAP-MS-CHAPv2 for wireless clients, you must issue server ...
    (microsoft.public.internet.radius)
  • Re: SCCM Client Certificate question..
    ... but they will need to access the Certificate Server. ... If you read my question and business requirements you will see that mixed mode is not for me. ... "The computers that are all over the country are not member of any domain. ...
    (microsoft.public.sms.admin)
  • Re: Manueller DNS-Eintrag
    ... Und wenn ich mir die ACLs von "Authenticated Users" am Container ... "Computers" oder anderen OUs anschaue, kann ich mir auch nicht vorstellen, ... Auflisten und Lesen von Berechtigungen (Windows Server 2003). ...
    (microsoft.public.de.german.windows.server.networking)