Click here to get back home

IAS + user smartcard + workstation certificate
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
IAS + user smartcard + workstation certificate domibik 07-06-2007
Posted by domibik on July 6, 2007, 9:48 am
Please log in for more thread options
 Hi !

I want wireless clients use PKI and IAS to get to network.

My idea is workstation is verified via workstation-certificate before
user use his smartcard (authentication via user certificate on his
card).

I know I can use workstation-certificate OR user-smartcard option.

Is this possible to set it together as a access-sequence ?

Thanks in advance

Dominik


Posted by Brian Komar on July 6, 2007, 12:02 pm
Please log in for more thread options
 On Fri, 06 Jul 2007 13:48:58 -0000, domibik@gmail.com wrote:

> Hi !
>
> I want wireless clients use PKI and IAS to get to network.
>
> My idea is workstation is verified via workstation-certificate before
> user use his smartcard (authentication via user certificate on his
> card).
>
> I know I can use workstation-certificate OR user-smartcard option.
>
> Is this possible to set it together as a access-sequence ?
>
> Thanks in advance
>
> Dominik

This is a very commonly deployed model. The workstation authenticates
(allowing processing of GPO/scripts) and then the user is authenticated at
logon time, to allow continued connectivity.
Brian

Posted by S. Pidgorny on July 6, 2007, 9:48 pm
Please log in for more thread options
Just wanted to add quickly: even when dual authentication is enabled, it is
virtually impossible to _require_ both computer and user authentication,
because server infrastructure considers computer and used authentication
request separate and independent.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


> On Fri, 06 Jul 2007 13:48:58 -0000, domibik@gmail.com wrote:
>
>> Hi !
>>
>> I want wireless clients use PKI and IAS to get to network.
>>
>> My idea is workstation is verified via workstation-certificate before
>> user use his smartcard (authentication via user certificate on his
>> card).
>>
>> I know I can use workstation-certificate OR user-smartcard option.
>>
>> Is this possible to set it together as a access-sequence ?
>>
>> Thanks in advance
>>
>> Dominik
>
> This is a very commonly deployed model. The workstation authenticates
> (allowing processing of GPO/scripts) and then the user is authenticated at
> logon time, to allow continued connectivity.
> Brian



Posted by domibik on July 9, 2007, 8:32 am
Please log in for more thread options
Hi !

But I can't find how to set it.
In network connection properties (in wireless card) - there is option
to use smart-card OR certificate.
I can't set both at the same time.

When I choose SmartCard - workstation certificate is not required (I
can remove it from my CertStore on workstation).
But when I use option certificate stored on Computer then I must have
workstation certificate in local Store and I don't need smartcard.

I want to force that workstations must have their cetificates on local
stores and users must have their smartcards with PIN to get to network

--
Dominik Weglarz


Posted by S. Pidgorny on July 16, 2007, 5:57 am
Please log in for more thread options
Please elaborate - what exactly is not working if you require certificate
authentication, have both workstation and user certificate along with
private keys in appropriate store, and try to connect?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> Hi !
>
> But I can't find how to set it.
> In network connection properties (in wireless card) - there is option
> to use smart-card OR certificate.
> I can't set both at the same time.
>
> When I choose SmartCard - workstation certificate is not required (I
> can remove it from my CertStore on workstation).
> But when I use option certificate stored on Computer then I must have
> workstation certificate in local Store and I don't need smartcard.
>
> I want to force that workstations must have their cetificates on local
> stores and users must have their smartcards with PIN to get to network
>
> --
> Dominik Weglarz
>



Similar ThreadsPosted
Multiple Certs on Smartcard and Windows Smartcard Logon July 8, 2005, 8:01 am
possible to log when a domain user locks workstation? August 23, 2006, 12:41 am
"No Certificate Templates Could Be Found" Error Message When User Requests Certificate from CA Web Enrollment Pages September 21, 2006, 1:31 pm
Restrict AD-User to one X509 Certificate per Certificate template? July 12, 2007, 12:18 pm
Cannot Logon using Smartcard October 28, 2005, 11:55 pm
Smartcard logon with third-party CA without MS CA May 13, 2006, 2:01 am
Smartcard / NTFS Encryption May 13, 2007, 7:37 pm
Smartcard logon and certification authority December 2, 2005, 4:29 am
Smartcard for multi-factor authentication March 2, 2006, 10:01 am
AD GetObject fails in ASP page when using smartcard logon June 14, 2005, 6:07 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap