EAP-TLS authentication in Win2003 Standard Edition

Hi Folks.

In our AD we have 2 domain controllers (PDC & BDC), both running 2003
Standard Edition. We want to deploy a secure wireless network using
certificates for users and computers. The problem is that when I try to issue
a user certificate (CA installed on the PDC), it always shows the
Administrator as the user. I have read tons of documents regarding this
subject, but most of them talks about autoenrollment in a 2003 server
Enterprise Edition. Is it possible to implement EAP-TLS authentication in a
2003 Standard Edition?

Thanks in advance.

Regards,


Alvaro Motta


Al

Hi Alvaro,

Windows Sever 2003 Standard Edition does not issue version 2 certificate
templates, which are required to autoenroll certificates. You need to either
use the certificates snap-in, or web enrollment to request a certificate.
You will need to request the certificate on the client using the certificate
request wizard or web enrollment, and (depending on user rights) approve the
certificate to be issued on the CA using the certificate authority snap-in.
See the link below for instructions on how to use the certificate request
wizard and web enrollement.

http://support.microsoft.com/kb/895433/en-us

I hope this helps!

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"Al" <(E-Mail Removed)> wrote in message
news:AA0C2A1E-5F23-41B9-B647-(E-Mail Removed)...
> Hi Folks.
>
> In our AD we have 2 domain controllers (PDC & BDC), both running 2003
> Standard Edition. We want to deploy a secure wireless network using
> certificates for users and computers. The problem is that when I try to
> issue
> a user certificate (CA installed on the PDC), it always shows the
> Administrator as the user. I have read tons of documents regarding this
> subject, but most of them talks about autoenrollment in a 2003 server
> Enterprise Edition. Is it possible to implement EAP-TLS authentication in
> a
> 2003 Standard Edition?
>
> Thanks in advance.
>
> Regards,
>
>
> Alvaro Motta

Hi Greg, thanks for your reply.

I already have the whole thing in place.

I was goofing, since I was requesting the certificate logged in as
Administrator. I only realized that when I tried the request using the
snap-in.

Once again, thanks for your time and have a good one.

"Greg Lindsay [MSFT]" wrote:

> Hi Alvaro,
>
> Windows Sever 2003 Standard Edition does not issue version 2 certificate
> templates, which are required to autoenroll certificates. You need to either
> use the certificates snap-in, or web enrollment to request a certificate.
> You will need to request the certificate on the client using the certificate
> request wizard or web enrollment, and (depending on user rights) approve the
> certificate to be issued on the CA using the certificate authority snap-in.
> See the link below for instructions on how to use the certificate request
> wizard and web enrollement.
>
> http://support.microsoft.com/kb/895433/en-us
>
> I hope this helps!
>
> --
> Greg Lindsay [MSFT]
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
>
> "Al" <(E-Mail Removed)> wrote in message
> news:AA0C2A1E-5F23-41B9-B647-(E-Mail Removed)...
> > Hi Folks.
> >
> > In our AD we have 2 domain controllers (PDC & BDC), both running 2003
> > Standard Edition. We want to deploy a secure wireless network using
> > certificates for users and computers. The problem is that when I try to
> > issue
> > a user certificate (CA installed on the PDC), it always shows the
> > Administrator as the user. I have read tons of documents regarding this
> > subject, but most of them talks about autoenrollment in a 2003 server
> > Enterprise Edition. Is it possible to implement EAP-TLS authentication in
> > a
> > 2003 Standard Edition?
> >
> > Thanks in advance.
> >
> > Regards,
> >
> >
> > Alvaro Motta
>
>
>

Cool, I'm glad you figured it out =)

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"Al" <(E-Mail Removed)> wrote in message
news:5D2B6150-9122-4CFF-B62B-(E-Mail Removed)...
> Hi Greg, thanks for your reply.
>
> I already have the whole thing in place.
>
> I was goofing, since I was requesting the certificate logged in as
> Administrator. I only realized that when I tried the request using the
> snap-in.
>
> Once again, thanks for your time and have a good one.
>
> "Greg Lindsay [MSFT]" wrote:
>
>> Hi Alvaro,
>>
>> Windows Sever 2003 Standard Edition does not issue version 2 certificate
>> templates, which are required to autoenroll certificates. You need to
>> either
>> use the certificates snap-in, or web enrollment to request a certificate.
>> You will need to request the certificate on the client using the
>> certificate
>> request wizard or web enrollment, and (depending on user rights) approve
>> the
>> certificate to be issued on the CA using the certificate authority
>> snap-in.
>> See the link below for instructions on how to use the certificate request
>> wizard and web enrollement.
>>
>> http://support.microsoft.com/kb/895433/en-us
>>
>> I hope this helps!
>>
>> --
>> Greg Lindsay [MSFT]
>>
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>>
>> "Al" <(E-Mail Removed)> wrote in message
>> news:AA0C2A1E-5F23-41B9-B647-(E-Mail Removed)...
>> > Hi Folks.
>> >
>> > In our AD we have 2 domain controllers (PDC & BDC), both running 2003
>> > Standard Edition. We want to deploy a secure wireless network using
>> > certificates for users and computers. The problem is that when I try to
>> > issue
>> > a user certificate (CA installed on the PDC), it always shows the
>> > Administrator as the user. I have read tons of documents regarding this
>> > subject, but most of them talks about autoenrollment in a 2003 server
>> > Enterprise Edition. Is it possible to implement EAP-TLS authentication
>> > in
>> > a
>> > 2003 Standard Edition?
>> >
>> > Thanks in advance.
>> >
>> > Regards,
>> >
>> >
>> > Alvaro Motta
>>
>>
>>

Hi Greg.

I have a few additional questions, that I hope you don't mind answering.

1 - Every 3 minutes there is an entry in system log (source IAS) stating
that the user has been granted access. Where do I need to modify in order to
avoid this re-authentication or where to configure the re-authentication
interval? Don't now even if it's possible.

2 - When I reboot the wireless client (or even when the wireless user logs
off), an entry is written to system log (source IAS) stating: the user
attempted to use an authetication method that is not enabled on the matching
remote access policy.
Any idea on how to get rid of this one?

3 - Even after modifying the ValidityPeriodUnits of the certificates
(through regedit), the user and the computer certificates are issued with a
validity period of one year (I know that this 1 year is the default value).
Is there any other way around in order to have the certificates generated
with longer validity periods.


Hope I am not bothering you too much.


Thanks for your time.


Regards,

AL

1) The re-authentication is probably happening on your wireless AP. Check
for a setting there.
2) I'm just guessing here, but make sure your IAS policy allows Domain
computers as well as Domain users.
3) After you modify the validity period, particularly if you did it with
registry settings, you need to restart the CA. Did you do this?

I hope this helps.

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"Al" <(E-Mail Removed)> wrote in message
news:B5AC39C0-6B3E-48C4-8EBF-(E-Mail Removed)...
> Hi Greg.
>
> I have a few additional questions, that I hope you don't mind answering.
>
> 1 - Every 3 minutes there is an entry in system log (source IAS) stating
> that the user has been granted access. Where do I need to modify in order
> to
> avoid this re-authentication or where to configure the re-authentication
> interval? Don't now even if it's possible.
>
> 2 - When I reboot the wireless client (or even when the wireless user logs
> off), an entry is written to system log (source IAS) stating: the user
> attempted to use an authetication method that is not enabled on the
> matching
> remote access policy.
> Any idea on how to get rid of this one?
>
> 3 - Even after modifying the ValidityPeriodUnits of the certificates
> (through regedit), the user and the computer certificates are issued with
> a
> validity period of one year (I know that this 1 year is the default
> value).
> Is there any other way around in order to have the certificates generated
> with longer validity periods.
>
>
> Hope I am not bothering you too much.
>
>
> Thanks for your time.
>
>
> Regards,
>
> AL
>
>