Shaun Ryan <msforums@email.shaunryan.com> wrote in
news:#3YitDHsEHA.2512@TK2MSFTNGP11.phx.gbl:

> Hi all,
>
> Our infrastructure performs "wired" 802.1X machine authentication for
> Windows XP domain-based clients via IAS. We are using a Windows Server
> 2003 environment with an Enterprise Online Issuing CA issuing V2
> Workstation Authentication certificates to clients via autoenrollment.
>
> In the above scenario, all is fine.
>
> However, we also want to perform machine-based authentication using the
> same infrastructure for non-domain based Windows XP and W2K (SP4)
> clients. Obviously, they are unable to take part in the autoenrollment
> process, nor do they have accounts in Active Directory for assignment to
> IAS RADIUS Policies or Certificate Templates.
>
> So, how is the best way to get certificates to these clients? We can't
> use Web Enrollment as there is no way for the clients to authenticate to
> the service using machine credentials.
>
> The solution i am testing is:
>
> 1. Create a new V2 Machine Authentication certificate that is modified
> to build the certificate from information supplied in the request, as
> opposed to AD
> 2. Create a dummy computer account in AD. e.g., XPTest
> 3. Add that account to the appropriate security groups for IAS RAS
> Policies and to enrol for the certificate template created above
> 4. Run a script on the CA that using a pre-prepared request input file,
> submits and generates (using certreq) a certificate with information
> that can add a Subject Alternate Name with the correct dnsHostName
> (e.g., xptest.xp.com) and gives it the correct Subject Name
> 5. Install that certificate into the local machine store on the XPTest
> client and configure the network adapter for 802.1X
> 7. Set the AuthMode registry setting to 2 for Machine Authentication.
>
> Now, in theory (my theory that is ), that should work. However, the XP
> client states that it cannot find a certificate to authenticate with.
> After turning on tracing, it appears that it cannot match the
> certificate to the machine, even thoughm they are both called XPTest. I
> have also tried many variations of these fields.
>
> Does anyone have any ideas? Or any other pointers that would help me out!
>
> Many thanks in advance
> Shaun.
>
> PS. I have read all applicable MS literature on the subject.
>

Please review the minimum client cert requirements in the Help topic
"Network access authentication and certificates" in Windows Server 2003 IAS
or VPN Help, or on the web at
http://www.microsoft.com/resources/.../2003/standard/
proddocs/en-
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
ocs/en-us/sag_VPN_und15.asp. There is a possibility your cert doesn't meet
these requirements.

In addition, the topic contains a fair amount of information about how to
enroll certs.

--
James McIllece, Microsoft

Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

[ Post a follow-up to this message ]