Hello Todd,
in fact, it is most likely that I will not be able to go for an
Enterprise CA because of political factors (internal customer
politics, the AD is managed by different departments, and so on), so
it is not really due to technical reasons... Customer is always right,
I guess... :-/
Also, PEAP is not an option for the customer, since users tend to lend
their AD user/password, so EAP-TLS is the only way to ensure that the
workstation is controlled by the organization (only if they have a
valid certificate will they be able to connect).
From what other members of the list have told me, CAPICOM would
require installing CAPICOM components on the users' workstations,
while this may not be so by having cryptoAPI VB / C++ code execute on
the workstations with the AD logon script (libraries already there).
What I have not found is code samples to base my work on, and not
having to develop from scratch.
I do not understand the LDAP modifies to automatically publish to the
AD User Object for TLS mapping. This means that I have to modify the
AD LDAP schema? Is this necessary to have IAS map cetifiates and AD
users?
Thanks a lot and best regards,
Rodrigo.
On 8/12/05, Todd Stecher <tstecher@uswest.net> wrote:
That's not crazy at all - in fact, for standalone CAs, certreq, xenroll, and
capicom (or CAPI2.0) are your best options, if you want to emulate
autoenrollment with a standalone CA. At the very least, you'll want them to
do the work of creating the certificate request.
You'll likely have to do some LDAP modifies as part of your provisioning, if
you want to automatically publish to the AD User Object for TLS mapping.
The only real gotcha is the fact that the standalone CAs don't really do
RPC, but if you know perl (or HTTP programming), that isn't too difficult.
You may also consider rolling your own CA policy modules (and client) to do
the dirty work for you, exposing RPC interfaces fit to your purpose. That's
a bit of work, but I believe its documented in MSDN.
I was a PKI tester at MS during Windows 2000. In fact, I was primarily
responsible for pulling together a lot of the infrastructure for Ent CA
<----> AD integration (and smartcard logon, certificate mapping,
autoenrollment, etc), but that was almost 5 years ago, so forgive me if the
details are sketchy.
I'm still curious, though, why don't you use enterprise CAs? If your
clients all are domain entities, this should be easy to pull off even when
their machines aren't part of the domain through documented RPC mechanisms.
Tx,
Todd
-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Monday, August 08, 2005 11:30 PM
To: offtopic
Cc: focus-ms@securityfocus.com
Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
In fact, I was thinking of just using user certificates (no need for
personal computers to be on-line while noone is logged on), and
storing them on the profile of each user, on their computer.
And, unfortunately, PEAP is not an option either.
Surfing thorugh MS doc., I had read that through CAPICOM scripts or
batches using certreq.exe against the MS Certificate Services 2003, it
is possible to "emulate" (by programming...) the Active Directory 2003
- Certificate Services 2003 integrated auto-enrollment and
auto-installation of the users' certificates.
However, I have no idea if this is applicable to Certificate Services
2000, if it is a pragmatic solution, and whether it is reasonably easy
to set up.
Any experience using this tools? Would it be crazy to focus the
project in this direction?
Thanks again and best regards,
Rodrigo.
On 8/9/05, offtopic <offtopic@mail.ru> wrote:
- Although the MS Certificate Services are in standalone mode, can I
still configure some auto-enrollment based on the users' AD logon? If
not, what is the best option in order to minimize administrative
effort?
No. AFAIK, Only Enterprise CA can be used for auto-enrollment. You can
choose PEAP MSCHAPv2 for client authentication instead. In this case you
don't need to manage client-side certificates and revocation.
If you need to use client certificates - create new Enterprise Subordinate
CA for issue client certificates.
- Since MS Certificate Services are in standalone mode, is it possible
to have the IAS server map certificates to AD users
You can bind user-to-certificate manually in AD, but I think this is not
best solution.
If you could point me to any paper or step-by-step guide that can
http://www.altavista.com/web/results?itag=ody&q=site%3Amicrosoft.com+802.1x+
step-by-step&kgs=0&kls=0 ????
PS. You want to use client certificates, where you will store it? In local
profile, or on smartcard?
Will you authenticate computer or user or both?
(c)oded by offtopic@mail.ru
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
