none
How to determine if a workstation is using a certificate when accessing a Domain Controller

    Question

  • Hello All!

    I'm new to PKI and i've been tasked with setting up PKI in a environment for only Workstation and Server encryption currently, then will be rolled out eventually to WIFI/VPN/User's and email.

    We currently have a Server 2008 test environment with ADCS installed, I have a offline RootCA and a IssuingCA setup and it all seems to work. I've given a Certificate to the Domain Controller as well as a test Win7 machine. All seems to be correct... But how can I verify that its actually using the cert...

    I figured if I created a 2nd workstation and did NOT give it a cert, that it would not authenticate to the DC and not be able to access any file shares....... 

    I've been trying to find good guides on how to deploy PKI past the initial setup. If anyone has any real world guides on what to expect or do after the initial setup that would be great. I'm also looking for decent books if anyone has suggestions that would be great as well.

    Thanks for the help!

    Friday, October 11, 2013 6:56 PM

Answers

  • Hello All!

    I'm new to PKI and i've been tasked with setting up PKI in a environment for only Workstation and Server encryption currently, then will be rolled out eventually to WIFI/VPN/User's and email.

    We currently have a Server 2008 test environment with ADCS installed, I have a offline RootCA and a IssuingCA setup and it all seems to work. I've given a Certificate to the Domain Controller as well as a test Win7 machine. All seems to be correct... But how can I verify that its actually using the cert...

    I figured if I created a 2nd workstation and did NOT give it a cert, that it would not authenticate to the DC and not be able to access any file shares....... 

    I've been trying to find good guides on how to deploy PKI past the initial setup. If anyone has any real world guides on what to expect or do after the initial setup that would be great. I'm also looking for decent books if anyone has suggestions that would be great as well.

    Thanks for the help!


    A workstation is not going to use a certificate to authenticate to a domain controller just because you install a certificate on both systems. That's not how workstation authentication works. Same with user auth, just because you give a user a certificate doesn't mean they are going to use that certificate to auth to a DC, unless of course it is a smart card certificate and you require smart cards for logon.
    Friday, October 11, 2013 7:03 PM
  • Thanks for the quick reply..... But can you elaborate on then how I get servers/workstations to use a certificate. 

    Like I stated I am NEW to PKI. I've read the guide on how to implement Two Tier approach i've looked online but no one explains how to do anything beyond just a setup.

    I know that you are new to PKI, you stated that I your original post, no need to repeat it.

    You're missing the point that a PKI is an infrastructure for the deployment and management of X.509 certificates. There are literally thousands of applications, services, and devices that can, and do, use certificates. That is the reason you don't see any documentation that covers both the PKI and the application side of things. For any specific application that is going to use certificates, you need to consult the application documentation. So, in this case, you need to understand how a workstation authenticates with Active Directory and that is covered in AD documentation which can be found on TechNet.

    Friday, October 11, 2013 8:37 PM

All replies

  • Hello All!

    I'm new to PKI and i've been tasked with setting up PKI in a environment for only Workstation and Server encryption currently, then will be rolled out eventually to WIFI/VPN/User's and email.

    We currently have a Server 2008 test environment with ADCS installed, I have a offline RootCA and a IssuingCA setup and it all seems to work. I've given a Certificate to the Domain Controller as well as a test Win7 machine. All seems to be correct... But how can I verify that its actually using the cert...

    I figured if I created a 2nd workstation and did NOT give it a cert, that it would not authenticate to the DC and not be able to access any file shares....... 

    I've been trying to find good guides on how to deploy PKI past the initial setup. If anyone has any real world guides on what to expect or do after the initial setup that would be great. I'm also looking for decent books if anyone has suggestions that would be great as well.

    Thanks for the help!


    A workstation is not going to use a certificate to authenticate to a domain controller just because you install a certificate on both systems. That's not how workstation authentication works. Same with user auth, just because you give a user a certificate doesn't mean they are going to use that certificate to auth to a DC, unless of course it is a smart card certificate and you require smart cards for logon.
    Friday, October 11, 2013 7:03 PM
  • Thanks for the quick reply..... But can you elaborate on then how I get servers/workstations to use a certificate. 

    Like I stated I am NEW to PKI. I've read the guide on how to implement Two Tier approach i've looked online but no one explains how to do anything beyond just a setup.

    Friday, October 11, 2013 7:21 PM
  • Thanks like every internet troll you post a sarcastic response with no valuable information and then don't even elaborate on your explanation you just expect everyone to be at the same knowledge level as yourself....

    Guess i'll forget using M$ forums nothing but arrogant geeks.

    Friday, October 11, 2013 8:00 PM
  • Thanks for the quick reply..... But can you elaborate on then how I get servers/workstations to use a certificate. 

    Like I stated I am NEW to PKI. I've read the guide on how to implement Two Tier approach i've looked online but no one explains how to do anything beyond just a setup.

    I know that you are new to PKI, you stated that I your original post, no need to repeat it.

    You're missing the point that a PKI is an infrastructure for the deployment and management of X.509 certificates. There are literally thousands of applications, services, and devices that can, and do, use certificates. That is the reason you don't see any documentation that covers both the PKI and the application side of things. For any specific application that is going to use certificates, you need to consult the application documentation. So, in this case, you need to understand how a workstation authenticates with Active Directory and that is covered in AD documentation which can be found on TechNet.

    Friday, October 11, 2013 8:37 PM
  • Thanks like every internet troll you post a sarcastic response with no valuable information and then don't even elaborate on your explanation you just expect everyone to be at the same knowledge level as yourself....

    Guess i'll forget using M$ forums nothing but arrogant geeks.


    There was absolutely no call for that kind of response.
    Friday, October 11, 2013 8:40 PM
  • At first, where you found a sarcastic response from Paul? He answered you correctly. As Paul already said computers are not using certificates when authenticated on DCs by using Kerberos. PKI is a infrastructure service, therefore you use when you need it. For example, you need to implement a secure web site, you should use appropriate guide to configure web site to use SSL. If you need to implement smart cards, use appropriate guide to implement smart card infrastructure.

    In other words your last response was completely inappropriate.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Saturday, October 12, 2013 12:08 PM
  • Hi Joe,

    Thank you for your post.

    I understand your confusion since you just started to learn PKI.

    In Microsoft Forums, the people who reply posts are trying to help people out sincerely. If the replies are too technical or not very useful, I am sure that they mean well.

    Learning a new technology is a complicated task to all of us, I suggest you find a mentor to guide you in the study process.

    Please feel free to ask us if there are any issues in the future, we will try our best to help you.

    Thank you for your understanding and support.

    Best Regards,

    Amy Wang


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forum a great place.

    Tuesday, October 15, 2013 1:54 AM
    Moderator