none
Win 2008 R2 CA - Publish default Computer Cert in Domain

    Pregunta

  • Hello,

    On a Windows 2008 R2 Ent CA is it possible to publish the Computer (machine) certificate to Active Directory so it can be used in binary comparison for wireless EAP-TLS machine authentication? 
    Currently the machine authentication for certificate (eap-tls) is failing,  Binary comparison of certificates failed. 

    The PCs can authenticate via user certificate but would also like to have the machine cert used for machine authenticaiton pre-logon too.

    Below is the path in GPO used to push the machine cert out to hosts via Group Policy and all machines do get the machine$ cert in the local computer store.
    Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings >
    Right Click and select new Certificate Request Setup Wizard > from here there are default options which lists the Computer template.
    I am unable to have a different template here for the Certificate Request Setup Wizard to push out to domain PCs.

    Under Certificate Templates > right Computer template, all options are greyed out.  The checkbox Publish in Active Directory is greyed out and unable to find a method to publish a different computer certificate to be used to push out via Certificate Request Setup Wizard in GPO.

    Thank you.

    viernes, 30 de marzo de 2012 4:19

Respuestas

  • Generally speaking, you do not need to publish authentication only certificates because the authentication is process is going to validate the certificate and automatically map the certificate to a valid user account based on the attributes found in the certificate used during the authentication process. If manual certificate mapping is required, you need then to configure X509 Name Mapping.

    EAP-TLS does not require/use binary certificate comparison unless you have some very special ESP-TLS implementation? What Radius/authentication server are you using?

    The Automatic Certificate Request setting using GPO is a legacy method used to support certificate services environments that are restricted to v1 certificate templates like Windows 2000 or 2003 standard edition server. As you already have a 2008 R2 Ent CA you can use version 2 certificate templates together with certificate Auto Enrollment to distribute certificates to clients.

    Using v2 certificate templates gives you the possibility to customize the template information.

    Read more about:

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS http://support.microsoft.com/kb/814394

    Certificate Template Versions http://technet.microsoft.com/en-us/library/cc725838.aspx  

    How Autoenrollment Works http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx 

    Configuring certificate autoenrollment http://technet.microsoft.com/en-us/library/cc773385(WS.10).aspx 

    /Hasain


    sábado, 31 de marzo de 2012 9:27

Todas las respuestas

  • Generally speaking, you do not need to publish authentication only certificates because the authentication is process is going to validate the certificate and automatically map the certificate to a valid user account based on the attributes found in the certificate used during the authentication process. If manual certificate mapping is required, you need then to configure X509 Name Mapping.

    EAP-TLS does not require/use binary certificate comparison unless you have some very special ESP-TLS implementation? What Radius/authentication server are you using?

    The Automatic Certificate Request setting using GPO is a legacy method used to support certificate services environments that are restricted to v1 certificate templates like Windows 2000 or 2003 standard edition server. As you already have a 2008 R2 Ent CA you can use version 2 certificate templates together with certificate Auto Enrollment to distribute certificates to clients.

    Using v2 certificate templates gives you the possibility to customize the template information.

    Read more about:

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS http://support.microsoft.com/kb/814394

    Certificate Template Versions http://technet.microsoft.com/en-us/library/cc725838.aspx  

    How Autoenrollment Works http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx 

    Configuring certificate autoenrollment http://technet.microsoft.com/en-us/library/cc773385(WS.10).aspx 

    /Hasain


    sábado, 31 de marzo de 2012 9:27
  • --EAP-TLS does not require/use binary certificate comparison unless you have some very special ESP-TLS implementation? What Radius/authentication server are you using?

      Ans: Our Radius server is Cisco ACS 5.3.  By default the ACS will do a binary comparison for the certificate (both machine and user).  The user certificate is already published in AD but the Computer Cert v1.0 template option to publish in AD is greyed out.  We have found the option in ACS to not do certificate binary comparison for machine certs so the machine authentication for EAP-TLS is working now.  Is the binary cert comparison more secure or more efficient than not checking for it?

    Yes I have duplicated certificates for use with users but I was looking for a an option to edit the default Computer certificate provided by the CA and have all domain PCs auto-enroll using the new machine template it appears then there are no options to modify it.

    Thank you.

    sábado, 31 de marzo de 2012 23:53
  • Binary certificate comparison is not necessarily more secure if the certificate validation and revocation checking is performed correctly. Another benefit of relying on certificate validation and revocation checking rather than binary comparison is that it gives a more flexible solution with the same security level.

    /Hasain

    domingo, 01 de abril de 2012 17:43