That's not crazy at all - in fact, for standalone CAs, certreq, xenroll, and
capicom (or CAPI2.0) are your best options, if you want to emulate
autoenrollment with a standalone CA. At the very least, you'll want them to
do the work of creating the certificate request.
You'll likely have to do some LDAP modifies as part of your provisioning, if
you want to automatically publish to the AD User Object for TLS mapping.
The only real gotcha is the fact that the standalone CAs don't really do
RPC, but if you know perl (or HTTP programming), that isn't too difficult.
You may also consider rolling your own CA policy modules (and client) to do
the dirty work for you, exposing RPC interfaces fit to your purpose. That's
a bit of work, but I believe its documented in MSDN.
I was a PKI tester at MS during Windows 2000. In fact, I was primarily
responsible for pulling together a lot of the infrastructure for Ent CA
<----> AD integration (and smartcard logon, certificate mapping,
autoenrollment, etc), but that was almost 5 years ago, so forgive me if the
details are sketchy.
I'm still curious, though, why don't you use enterprise CAs? If your
clients all are domain entities, this should be easy to pull off even when
their machines aren't part of the domain through documented RPC mechanisms.
Tx,
Todd
-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Monday, August 08, 2005 11:30 PM
To: offtopic
Cc: focus-ms@securityfocus.com
Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
In fact, I was thinking of just using user certificates (no need for
personal computers to be on-line while noone is logged on), and
storing them on the profile of each user, on their computer.
And, unfortunately, PEAP is not an option either.
Surfing thorugh MS doc., I had read that through CAPICOM scripts or
batches using certreq.exe against the MS Certificate Services 2003, it
is possible to "emulate" (by programming...) the Active Directory 2003
- Certificate Services 2003 integrated auto-enrollment and
auto-installation of the users' certificates.
However, I have no idea if this is applicable to Certificate Services
2000, if it is a pragmatic solution, and whether it is reasonably easy
to set up.
Any experience using this tools? Would it be crazy to focus the
project in this direction?
Thanks again and best regards,
Rodrigo.
On 8/9/05, offtopic <offtopic@mail.ru> wrote:
- Although the MS Certificate Services are in standalone mode, can I
still configure some auto-enrollment based on the users' AD logon? If
not, what is the best option in order to minimize administrative
effort?
No. AFAIK, Only Enterprise CA can be used for auto-enrollment. You can
choose PEAP MSCHAPv2 for client authentication instead. In this case you
don't need to manage client-side certificates and revocation.
If you need to use client certificates - create new Enterprise Subordinate
CA for issue client certificates.
- Since MS Certificate Services are in standalone mode, is it possible
to have the IAS server map certificates to AD users
You can bind user-to-certificate manually in AD, but I think this is not
best solution.
If you could point me to any paper or step-by-step guide that can
http://www.altavista.com/web/results?itag=ody&q=site%3Amicrosoft.com+802.1x+
step-by-step&kgs=0&kls=0 ????
PS. You want to use client certificates, where you will store it? In local
profile, or on smartcard?
Will you authenticate computer or user or both?
(c)oded by offtopic@mail.ru
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
