You need to put user certificates on these machines, rather than machine accounts (if you plan to authenticate using NPS or a Radius server tied into AD. See my presentation at NIC 2012 on the Web for lots of details on how to do this with /CertSRv http://vimeo.com/nicconf/review/35061729/ba68e5fcbf Brian

The best practice is to actually use both computer and user certificates. the computer initially logs on, and then when the user logs in, after GPO and login scripts are processed, the security context passes to the user. This ensures that a person logging on with a local SAM account (easy to hack) cannot connect to the wireless network after authentication Brian

You do not have to create a standalone CA. You need to start with the design phase. - Why are you putting a certificate on the MAC (for what application) - What Identity is to be asserted by the Mac (the user or the computer) for the application You start at this point. Remember that the /certsrv cannot issue certificates with DNS names unless the request is submitted as a PKCS10 or CMC because the security context used is that of a user. Brian

Hi Brian, We are putting computer certificates on all workstations for 802.1x authentication. I am hoping I can setup web enrollment and get all the Mac and Linux users to obtain certificates this way. I am not sure if this will work if the workstations are not domain bound though. Reena

You need to put user certificates on these machines, rather than machine accounts (if you plan to authenticate using NPS or a Radius server tied into AD. See my presentation at NIC 2012 on the Web for lots of details on how to do this with /CertSRv http://vimeo.com/nicconf/review/35061729/ba68e5fcbf Brian

Thanks Brian I will be looking at your video :) So for the domain bound windows pcs, I can still use computer certificates opposed to user ones right?

Hello. I am trying to figure out the best way to configure Certificate Web Enrollment on my 2008 R2 Enterprise CA. I need to be able to configure this one CA to a) auto-enroll domain bound windows machines with computer certificates b) issue computer certificates for Macs c) Issue certificates for Linux workstations that are NOT bound to domain. The windows ones are easy, but for Macs and the Linux machines - do I need to use an Authentication Type of "Client Certificate Authentication" since they aren't domain bound? or do I need to create another stand alone CA to deal with these types of machines? Suggestions?

The best practice is to actually use both computer and user certificates. the computer initially logs on, and then when the user logs in, after GPO and login scripts are processed, the security context passes to the user. This ensures that a person logging on with a local SAM account (easy to hack) cannot connect to the wireless network after authentication Brian