Re: standalone CA customized certificate

Hi Brian ,


I think basically i want to know what should be the fields of my certificate
if i want to add hardware information

Please suggest me how a x509 certificate should look like.

What should be in the

Subject Name
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
OID of my certificate (should it be a new OID)
subject alternative name


Regards,
Sunil

"Sunil Virmani" wrote:

Hi Brian,

Well at backend windows XP SP2 is running the windows terminal services.I
think it is not possible for me to use TLS.

Well i am still confused about the extensions that can be added in the x509
certificate.Can you please provide me some url for the extensions of x509
certificate.

Basically i want to implement some kind of architecture implement windows
right management services. They also create the machine certificate , but i
dont know whats all is available in the Machine certificate.

Do you have idea of what kind of machine certificate is available in windows
RMS.


Rgds,
Sunil

"Brian Komar [MVP]" wrote:

Due to custom software, I will not be able to help you
at all with your management server. That is entirely in
your court... More inline.

In article <840D7B7C-33FD-4A07-96BD-3B92DF678CC2
@microsoft.com>, Sunil@xxxxxxxxxxxxxxxxxxxxxxxxx says...

Brain ,

Thanks for your comments.

Please find the replies and some questions.

who wrote thie management server. This is the key to
whether your application would work. I know of no
management server software that does what you want with
certs today.

1.The Mgmt Server is self developed , apart from this authentication it does
many more things.

This is not the way VPC would work. You would only be
connecting to the VPC agent using the RDP port? If you
are using htis, the only attribute of the certificate
that is looked at is the EKU attribute and it must have
the Client AUthentication OID. In addition, the RDP
client is hard coded to *only* look for smart card-based
client authentication certs, definitely not machine
certs....
2. VPC Agent is some kind of firewall. The only way to connect from thin
terminals is using RDP. By Default VPC Agent keeps rdp port closed.

I assumed you were talking about Microsoft Virtual PC. I
have no idea what you are talking about here.

You are reinventing the wheel. The RDP connection can
use TLS to encrypt the information. You have the key
exchang backwards. When you connect to a server, you
validate the server certificate. The server certificate
is used to protect a symmetric key that is used to
encrypt any data. A client machine certificate is never
used to protect data. It is the responsibility of the
server cert.


3.Is it possible to use TLS in windows XP Terminal Services ?

You can if you use Windows Server 2003 with SP1 or R2 on
the back end. You can enable SSL (actually TLS) in the
properties of the RDP connection.

.

Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: Configuring LDAP on Entourage 2004 OS X
    ... Microsoft CSS Online Newsgroup Support ... does not work with a self signed SSL certificate OR with the SSL ... configure the System to allow OMA and "Server ActiveSync" access from the ... Configuring Exchange Server 2003 for Client Access. ...
    (microsoft.public.windows.server.sbs)
  • Re: Configuring SBS2003 for OWA and RWW
    ... And make sure certificate will not be ... On the Connection Type page, click Broadband, and then click Next. ... next to Preferred DNS server and next to ... If you are using ISA, please go to ISA management console, and navigate ...
    (microsoft.public.windows.server.sbs)
  • Re: Protect from Login Attempts
    ... RDP to the server is used to manage it ... Is there a hardware device that would sit between an RDP session and the windows authenticator? ... Or any other way besides turning off the RDP and OWA to keep these r-ff-raff away from even having a successful failed logon? ... That's not too convenient, as the certificate has to be installed in the browsers used, and you'll probably have to trust your users to do that themselves. ...
    (microsoft.public.windows.server.sbs)