Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, November 5, 2012 11:05 PM
If we set up certificate based authentication for the wireless LAN and for Exchange Activesync so users do not have to keep manually updating expired passwords on their e-mail and wifi on their smartphones and the wifi on non-company laptops? What are the best/easiest methods to distribute the certificates?
Are they safe to email? Is there anything that prevents extra copies of the certificates from being used on other laptops or smartphones?
All replies (12)
Tuesday, November 6, 2012 10:49 PM ✅Answered
OK, in that case you'll want to review the content at http://technet.microsoft.com/en-us/library/cc732625(v=ws.10).aspx
It has been several years since I've issued certs to non domain members, and I didn't use WS08, but I'm certain that you can configure the template and take other steps to ensure that the certificate can't be misused. Hopefully the documentation covers these issues for you.
Thanks -
James McIllece
Wednesday, November 7, 2012 4:54 AM ✅Answered
To touch base on copying certificates, no, there's nothing stopping someone doing that, if they know what they're doing. If that's the case, you'll need to implement a full NAP, and possibly an NAC solution.
More info, and some of this info deals with blocking phones, but it can be used to specifically allow phones by MAC:
Enhance your 802.1x deployment security with MAC filtering
"Ever wanted to tighten the security to the point that only some machines are allowed access on 802.1x/Wireless network? Well here’s the solution, combine MAC filtering, with EAP Authentication and you get, User AND machine authentication all in one." (such as blocking iPhones and Droids)
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
But to block iPhones or Droids, your only real option is a full NAC solution, such as using Windows Server 2008 NAP+NPA, Cisco NAC, Aruba ECS, etc. Read the following discussion:
Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How
http://airheads.arubanetworks.com/vBulletin/showthread.php?t=793
Network Access Protection
http://technet.microsoft.com/en-us/network/bb545879
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, November 7, 2012 10:09 PM ✅Answered
Here are some additional resources for you that the current AD CS writer provided:
Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS), which you might be able to use for iPads and iPhones, at http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx
Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES) at http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx
And for WS08R2 and WS12: Certificate Enrollment Web Services in Active Directory Certificate Services at http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
Thanks -
James McIllece
Tuesday, November 6, 2012 12:04 AM
Hi there -
You might want to review the topic "Enrolling Certificates with Templates" at http://technet.microsoft.com/en-us/library/dd197527(v=ws.10).aspx.
Essentially you must have someone who is trusted - such as an administrator - deploy the certificates for non-domain member devices.
There are also ways to deploy certificates that prevents others from using them; I don't recall the topic where that information is located, but it has to do with configuring the certificate template.
Thanks -
James McIllece
Tuesday, November 6, 2012 12:07 AM
This forum post might also provide some answers:
How to request certificate from a non-domain computer, at http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/098f858a-3e89-48d2-828e-274487033f6b
James McIllece
Tuesday, November 6, 2012 1:18 AM
I'm not sure those are referring to the same type of certificates. I meant 802.1x wireless certificates and Exchange Activesync certificates.
Also, it talks about usb drives and floppy disks. If someone is using an iPhone to connect to the wireless LAN and ActiveSync, there is no way to directly copy the certificate file to the phone.
Tuesday, November 6, 2012 6:08 PM
Hi there -
Yes the first article is discussing enrollment of certificates to clients and servers - perhaps the server focus of the article made it appear to not be relevant. But for computer and user certificates used for 802.1X authentication, this is applicable.
That article was written in the Windows Server 2003 timeframe, which is why it mentions floppy disks. :-)
But the principles are basically the same, and I believe you could export the cert to a file, copy the file onto the phone, and import the cert into the phone's certificate store. You might need to dig around for details and refer to the phone manufacturer's help content to discover the whole process.
Thanks -
James McIllece
Tuesday, November 6, 2012 7:19 PM
You cannot copy files to an iPhone. Sounds like e-mailing is the only option.
Tuesday, November 6, 2012 9:41 PM
You could access the CA Web Enrollment tool from the iPhone using the browser and request a cert that way. I've never done this with a phone so I'm not 100% sure it would work, but I don't see why it wouldn't.
Thanks -
James McIllece
Tuesday, November 6, 2012 10:05 PM
No sure that is supported by non IE browser on a smartphone, but we can try. I'd like to find out well before we get to that point so it doesn't become an 11th hour roadblock.
Also, is there anything that prevents someone copying and then using the certificate on multiple devices in addition to the one the certificate is supposed to be assigned to?
If the certificate only works on the first system it's installed on, we could just e-mail them and the user can install it from web mail and we won't have to monitor it to make sure they securely delete the file attachment.
Tuesday, November 6, 2012 10:12 PM
What operating system are you using for your CA - WS03, WS08, etc.?
James McIllece
Tuesday, November 6, 2012 10:18 PM
It will be Server 2008 SP2 (not R2).