RRAS, L2TP, and certificate authorities

If you have two issuing CAs under the same root CA, will a client with a
certificate issued from one CA be valid for use in connecting via L2TP to an
RRAS server with a certificate from the other CA? If so, is there a way to
prevent this?

Thanks in advance.


Chris Shaw

In news:26831B08-0397-44DF-B30D-(E-Mail Removed),
Chris Shaw <(E-Mail Removed)> stated, which I commented
on below:
> If you have two issuing CAs under the same root CA, will a client
> with a certificate issued from one CA be valid for use in connecting
> via L2TP to an RRAS server with a certificate from the other CA? If
> so, is there a way to prevent this?
>
> Thanks in advance.

Yes they will be honored, and as far as I can see, no, because of the common
trusted CA Root.

You can possibly use autoenrollment and make multiple certs for specific
users that you can control when you create a certificate template and apply
permissions based on groups on who is allowed to use the cert, along with
RRAS/RADIUS permissions.

Here are some links that may help to understand how to implement this. Keep
in mind, for autoenrollment certs, the issuing CA (not necessarily the CA
Root), must be at least Enterprise Edition.

Certificate Autoenrollment in Windows Server 2003:
http://www.microsoft.com/technet/pro.../autoenro.mspx

Selecting Certificate Templates Public Key (need enterprise to make
autoenrollment work):
http://www.microsoft.com/technet/pro...0d0ef4e9a.mspx

Configure a certificate template for client autoenrollment:
http://technet2.microsoft.com/Window...00a8e1033.mspx

Problems Installing Certificate Services After You Apply the Q323172 Patch:
http://support.microsoft.com/default...b;en-us;328595

Certificate Services Operations Guide- Certificate Services Operations:
http://www.microsoft.com/technet/its...tSevcOG_2.mspx

The Secure Access Using Smart Cards Planning Guide - Chapter 3 - Using Smart
Cards to Help Secure Administrator Accounts:
http://www.microsoft.com/technet/sec.../scpgch03.mspx



If you like, post this question to the microsoft.public.security.crypto
newsgroup.
Those guys do it everyday there and I'm sure you'll get better help.

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...