I have EAP-TLS configured and working with user certificates.  I want to
instead use Machine certificates because I don't want my users to be able to
export their user certificate to another machine.  When I delete my user
certificate from the local user store and have a machine certificate only in
the local computer store, it tells me that "Windows was unable to find a
certificate to log you on to the network".  How do I configure EAP-TLS to us
e
Computer Certificates instead of user certificates?  I am using XP w/ SP1 on
the client side.  cisco Aironet 1200's as the AP's and IAS for the radius
piece.  I also have a certificate server setup via Microsoft as well.

[ Post a follow-up to this message ]

The problem occurs because when a user is logged on, XP will by default
attempt to use a user certificate (a certificate located in the user portion
of the registry) & not a computer certificate. You can change this (make XP
attempt to authenticate using a computer certificate when a user is logged
on) using a registry hack:
-    HKLM\Software\Microsoft\EAPOL\Parameters
\General\Global\SupplicantMode
set to 3

-    HKLM\Software\Microsoft\EAPOL\Parameters
\General\Global\AuthMode
set to 2

& then restart WZCSVC

Cheers,

T

"Wireless in Southern Indiana" <Wireless in Southern
Indiana@discussions.microsoft.com> wrote in message
news:1DE95CC7-65D6-4E48-9F1C-3D89686C5CA0@microsoft.com...
>I have EAP-TLS configured and working with user certificates.  I want to
> instead use Machine certificates because I don't want my users to be able
> to
> export their user certificate to another machine.  When I delete my user
> certificate from the local user store and have a machine certificate only
> in
> the local computer store, it tells me that "Windows was unable to find a
> certificate to log you on to the network".  How do I configure EAP-TLS to
> use
> Computer Certificates instead of user certificates?  I am using XP w/ SP1
> on
> the client side.  cisco Aironet 1200's as the AP's and IAS for the radius
> piece.  I also have a certificate server setup via Microsoft as well.

[ Post a follow-up to this message ]

"=?Utf-8?B? V2lyZWxlc3MgaW4gU291dGhlcm4gSW5kaWFuYQ==
?=" <Wireless in
Southern Indiana@discussions.microsoft.com> wrote in
news:1DE95CC7-65D6-4E48-9F1C-3D89686C5CA0@microsoft.com:

> I have EAP-TLS configured and working with user certificates.  I want
> to instead use Machine certificates because I don't want my users to
> be able to export their user certificate to another machine.  When I
> delete my user certificate from the local user store and have a
> machine certificate only in the local computer store, it tells me that
> "Windows was unable to find a certificate to log you on to the
> network".  How do I configure EAP-TLS to use Computer Certificates
> instead of user certificates?  I am using XP w/ SP1 on the client
> side.  cisco Aironet 1200's as the AP's and IAS for the radius piece.
> I also have a certificate server setup via Microsoft as well.

All you have to do to prevent users from exporting certificates is change
the certificate template setting for "Allow private key to be exported."
When this option is specified, the subjects private key can be exported for
backup or transportation -- so disable this option in the cert template and
they can't export the key.

See "Implementing and Administering Certificate Templates in Windows Server
2003" for full info at
http://www.microsoft.com/technet/pr...03/technologies
/security/ws03crtm.mspx


--
James McIllece, Microsoft

Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

[ Post a follow-up to this message ]