ADDS Web Enrollment for non-domain computers
You need to put user certificates on these machines, rather than machine accounts (if you plan to authenticate using NPS or a Radius server tied into AD.
See my presentation at NIC 2012 on the Web for lots of details on how to do this with /CertSRv
http://vimeo.com/nicconf/review/35061729/ba68e5fcbf
Brian
January 20th, 2012 8:38pm
The best practice is to actually use both computer and user certificates. the computer initially logs on, and then when the user logs in, after GPO and login scripts are processed, the security context passes to the user.
This ensures that a person logging on with a local SAM account (easy to hack) cannot connect to the wireless network after authentication
Brian
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2012 12:02am
You do not have to create a standalone CA. You need to start with the design phase.
- Why are you putting a certificate on the MAC (for what application)
- What Identity is to be asserted by the Mac (the user or the computer) for the application
You start at this point.
Remember that the /certsrv cannot issue certificates with DNS names unless the request is submitted as a PKCS10 or CMC because the security context used is that of a user.
Brian
February 4th, 2012 8:13am
Hi Brian,
We are putting computer certificates on all workstations for 802.1x authentication. I am hoping I can setup web enrollment and get all the Mac and Linux users to obtain certificates this way. I am not sure if this will work if the workstations are not domain
bound though.
Reena
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 11:48am
You need to put user certificates on these machines, rather than machine accounts (if you plan to authenticate using NPS or a Radius server tied into AD.
See my presentation at NIC 2012 on the Web for lots of details on how to do this with /CertSRv
http://vimeo.com/nicconf/review/35061729/ba68e5fcbf
Brian
February 4th, 2012 12:46pm
Thanks Brian I will be looking at your video :) So for the domain bound windows pcs, I can still use computer certificates opposed to user ones right?
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 1:14pm
Hello. I am trying to figure out the best way to configure Certificate Web Enrollment on my 2008 R2 Enterprise CA. I need to be able to configure this one CA to a) auto-enroll domain bound windows machines with computer certificates b) issue computer certificates
for Macs c) Issue certificates for Linux workstations that are NOT bound to domain.
The windows ones are easy, but for Macs and the Linux machines - do I need to use an Authentication Type of "Client Certificate Authentication" since they aren't domain bound? or do I need to create another stand alone CA to deal with these types of machines?
Suggestions?
February 4th, 2012 2:05pm
The best practice is to actually use both computer and user certificates. the computer initially logs on, and then when the user logs in, after GPO and login scripts are processed, the security context passes to the user.
This ensures that a person logging on with a local SAM account (easy to hack) cannot connect to the wireless network after authentication
Brian
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 4:10pm