Using machine cert for 2nd factor VPN authentication as a normal u



We want to use the machine certificate as the second factor for VPN
authentication with our Anira solution, but are having a problem with the
NTFS permissions of the certificate.

Our users are not local administrators on their workstation and since the
machine certificates don't inherit permissions from the parent folder, the
user doesn't have read access to the machine certificate. Changing the
permissions is easy enough with an SMS package, but with about 20 machines
renewing their certificates a day, this is not a workable solution.

Is there a way to change the default permissions of an autoenrolled machine
certificate? This way the users will have read and thus the ANIRA VPN client
will be able to access the certificate when launched as a regular user?

Please advise.
Thanks
Ben
.



Relevant Pages

  • Re: 802.1X/EAP authentication issue with XP client
    ... The current machine certificate was installed using the Request New ... Re file permissions... ... cert was manually moved in the cert store, ...
    (microsoft.public.internet.radius)
  • Re: 802.1X/EAP authentication issue with XP client
    ... The current machine certificate was installed using the Request New ... Re file permissions... ... We have agreement that the problem is one of two things -- either the cert ...
    (microsoft.public.internet.radius)
  • Re: Machine Certificates for L2TP/IPSEC
    ... You can't really associate a machine certificate with a user. ... > I have set up a test lab with 3 computers and one Server. ... > installed on both the client PC and the VPN Server. ...
    (microsoft.public.win2000.security)
  • Autoenrollment Fails
    ... We had a bogus machine certificate get created in the attempt to ... off the CA server, removed the template from Sites and Services in AD, ... policy automatic enrollment object. ...
    (microsoft.public.windows.server.security)
  • Re: Cant decrypt w/admin acct
    ... >>First off you need to rule out a permissions problem. ... >>Run mmc and select the certificate snapin for user and go ... >>used to decrypt the files. ... The certificate is a "key pair" in that the certificate is used to encrypt the files ...
    (microsoft.public.win2000.security)