Re: Enabling a Certificate template
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 01/04/05
- Next message: Karl Levinson [x y], mvp: "RE: encription"
- Previous message: CLYNovice: "keysnatch"
- In reply to: awib: "Re: Enabling a Certificate template"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 04 Jan 2005 18:54:35 GMT
You can upgrade Windows 2003 Standard to Windows 2003 Enterprise if you want
to go that route. If you do, be sure to do a full backup of your existing
server including the System State and also using Automated System Restore as
described in the link below just in case there is a problem.Upgrade should
be as simple as putting the new OS cd in the cd drive and when the install
window appears select upgrade install.
http://www.petri.co.il/what's_asr_in_windows_xp_2003.htm
You can obtain all the necessary certificates from your current CA. you just
can not use autoenrollment to obtain user or computer certificates though
you can use auto request via Group Policy computer configuration to obtain
computer certificates automatically as shown in the link below.
http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/autocertsteps.asp
You could request/issue user certificates ahead of time but this would be
time consuming and you would need logon name/password for every user and use
Web Enrollment to request user certificate with exportable private keys,
then go to the user certificate personal folder, export the certificate
[including all certificates in the chain option] and private keys to a .pfx
file, copy the file to the laptop, logon as that user, and then go to the
user certificate personal folder and import it. The link below explains
autoenrollment using Group Policy if you do the upgrade. --- Steve
http://www.tacteam.net/isaserverorg/exchangekit/2003autoenroll/2003autoenroll.htm
"awib" <awib@discussions.microsoft.com> wrote in message
news:39C143B9-B7BC-42A8-A232-DA15984E1DEC@microsoft.com...
> Hi Steven,
> thanks for that, after checking this am, of course I am running Server
> 2003
> standard.
> Can I just run past you again what i want to do.
> I want any authorised user in the active directory to be able to log over
> wireless connaction to the domain via an "authorised lap top", It was my
> intention to "pre authorise" the laptop with a certificate issued by the
> certifacte authority (this being the EAP-TLS bit). The authentication on
> the
> domain would require both the laptops certificate and the users domain
> login
> to be valid.
> I was proposing to use Radius of course to manage the certificate
> authentication to the device, and allow my users to authenticate with ads
> over the top of that. Preferably at the point of loging on to the laptop.
> For the certification service to work in this way requires Server
> Enterprise. Can I upgrade the server to the enterprise version (given that
> this is for education, the cost is not significant), and will this allow
> me
> to meet my objective.
> If not, can I pre-issue a certificate to the laptop as a setup process
> with
> server 2003 standard with GPO, if so how do I create the EAP-TLS
> certificate.
> If I can upgrade, will this require a DCPROMO back to a standalone server
> with all that intails etc.
>
> Regards
>
> Andrew
>
> "Steven L Umbach" wrote:
>
>> OK. I would suggest that when you create the new template that you might
>> want to consider that the private keys not be exportable so that they can
>> not export their certificate/private key unless there is a particular
>> need
>> for such. Also by default you will need to have an email address in each
>> user's account properties in AD that will be included on the certificate.
>> If
>> you do not have a need for that, you can remove that requirement from the
>> template you create also under subject name. Users on Windows 2000
>> computers
>> and earlier can not obtain a certificate via autoenrollment [version 1
>> computer certificates can be obtained via automatic request]. Keep in
>> mind
>> that by default any domain user can add up to ten workstations to the
>> domain
>> which means that a domain user could possibly join an unauthorized
>> computer
>> to the domain and they automatically obtain certificates via
>> autoenrollment.
>> You can mitigate that by removing authenticated users from the add
>> workstations to the domain user right in "Domain Controller" Security
>> Policy
>> and also by not enabling autoenrollment at the domain level but at the
>> Organizational Unit instead where the computer and user accounts would
>> need
>> to be. Permissions for autoenrollment can also be given to computers.
>> Domain
>> computers are members of authenticated users also but you could create a
>> domain global group and add the authorized domain computers to that group
>> for autoenrollment permissions for computer certificate instead of
>> authenticated users or domain computers. The links below may be
>> elpful. --- Steve
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>
>> "awib" <awib@discussions.microsoft.com> wrote in message
>> news:38B9BEDC-AF4F-4E78-86EC-F0C6FCAB9EAE@microsoft.com...
>> > Hi Steve, as per my reply to Mike, I will check re Enterprise.
>> > Autoenrollment
>> > is going to be something of a requirement for me as I wish to get 30 or
>> > so
>> > laptops connecting under 802.1x, with the minimum intervention by user.
>> > I
>> > do
>> > not mind setting up laptops with certificates by hooking up via
>> > ethernet,
>> > so
>> > long as I can enable my clients (school kids in this case) to logon to
>> > the
>> > network. This of course means that the laptops wil need to establish a
>> > secure
>> > wireless link prior to logging on.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> As Mike indicated the CA needs to be running on Windows 2003 Server
>> >> Enterprise. If it is not you can still issue computer and user
>> >> certificates
>> >> but you can not use autoenrollment. Computer certificates can be
>> >> issued
>> >> automatically via Group Policy automatic request and users can request
>> >> certificates via Web Enrollment or mmc certificate snapin for users.
>> >> Using
>> >> automatic request for computer certificates via Group Policy can be
>> >> helpful
>> >> because otherwise a user of a computer must be a local administrator
>> >> to
>> >> install a computer certificate to the computer store on their
>> >> computer.---
>> >> Steve
>> >>
>> >>
>> >> "awib" <awib@discussions.microsoft.com> wrote in message
>> >> news:4AA93246-6DF5-47BB-94A3-2F993333B1D8@microsoft.com...
>> >> > Hi, following the white paper: Windows Server 2003, "Step-by-step
>> >> > guide
>> >> > for
>> >> > setting up secure wireless access in a test lab"
>> >> > To help me setup EAP-TLS, I am following this guide.
>> >> > After creating a certificate template for wireless users by copying
>> >> > the
>> >> > exisiting User template with the "Certificate Templates" snap in,
>> >> > modifying
>> >> > the domain users permissions etc, I find that the template does not
>> >> > appear
>> >> > in
>> >> > the list when I use the "Certification authority" snap in "Action /
>> >> > New
>> >> > Certificate Template to issue", for what it matters, neither do a
>> >> > few
>> >> > others
>> >> > that were visible from the "Certificate templates" snap-in.
>> >> > EAP-PEAP is working fine, but i want to issue certificates to
>> >> > devices
>> >> > to
>> >> > help reduce authentication overhead on users, and improve security
>> >> > re
>> >> > restricting devices.
>> >> > Any ideas?
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: Karl Levinson [x y], mvp: "RE: encription"
- Previous message: CLYNovice: "keysnatch"
- In reply to: awib: "Re: Enabling a Certificate template"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
