Re: Wireless PKI for external users

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 07/06/05 

Date: Wed, 6 Jul 2005 22:06:57 +1000

You create accounts in the AD for them then. Is that a hiuge issue? I don't
think so.

In fact, the proiblem isn't that the certificate is associated with AD
account - you can create a user cert without such association, using a Web
form on a stand-alone CA being the easiest way - but the way IAS,
Microsoft's RADIUS implementation, handles EAP for wireless. I believe you
can use another RADIUS server to handle certificate authentication
differently. But I don't see a huge issue using AD - all controls in one
directory, which is good. 

-- 
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"jaff" <jaff@discussions.microsoft.com> wrote in message
news:5B06378F-5C6A-40B8-B3AA-BD96A7DAF05A@microsoft.com...
> I think so. I don't find the way to create a certificate with Windows 2003
> that isn't associate to a domain account.
> So, how can I give certificates and validate these externals users?
>
> "Mark Gamache" wrote:
>
> > I believe that the cert. must also be associated with a valid domain
account
> > for IAS to process the remote access policy.
> >
> > -- 
> > Mark Gamache
> > Certified Security Solutions
> > http://www.css-security.com
> >
> >
> >
> > "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> > news:O$1MUtVgFHA.3868@TK2MSFTNGP14.phx.gbl...
> > > Yes, you can use Windows 2003 PKI for any kind of client supporting
> > > standard
> > > file formats. The easiest way to ship the cert to non-domain user
would be
> > > to ship PKCS #12 (.p12/.pfx) file containing private key and the
cert -
> > > enroll marking private keys exportable, install the cert and export.
Note
> > > that the external users must trust your CA.
> > >
> > > -- 
> > > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > > -= F1 is the key =-
> > >
> > > "jaff" <jaff@discussions.microsoft.com> wrote in message
> > > news:4066EB2E-1727-4DC8-9A0D-8D18BF5215BC@microsoft.com...
> > >> Can I use Windows 2003 PKI for non-domain users? Can I obtain a
> > > certificate
> > >> for a non-domain user through Windows 2003 PKI?
> > >> How can I connect securely externals users to my wireless network?
> > >> Thanks
> > >
> > >
> >
> >
> >

Relevant Pages

  • Re: Security problem with Entourage 2004 & digital signature
    ... To be honest I've not played with those popups much. ... Unless you have the certificate that signed your cert somewhere (and maybe ... Do you have Entourage set to include your cert in the message? ... I've got two mail accounts, and have a key pair for each account. ...
    (microsoft.public.mac.office.entourage)
  • Re: Can not open encrypted files (EFS) (Urgent, please help)
    ... the account via a reset, without use of the old password. ... next use of EFS a new cert was generated. ... As an alternative, if the cause is a password reset, then if you can ... Certificate with an old one, If I can assign a correct Certificate to ...
    (microsoft.public.security)
  • Re: EFS recovery problem
    ... this seems to break efs as it does not update the locking ... some files are missing - for each cert in mmc, ... >especially now since my account name is Dave for some reason. ... export the Dave User certificate ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS recovery problem
    ... I should have studied EFS ... Dave User cert, I get "Access Denied". ... especially now since my account name is Dave for some reason. ... export the Dave User certificate (in *.p7b ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)