Hi all,
I've done a quite a bit of reading to get to the stage I'm at and I'm happy that I have a correctly configured, functioning 2 tier CA based on Windows 2012 R2 with an offline root.
Currently I am trying to use certificates with NPS for wireless user authentication. I have created a duplicate of the default User certificate template and modified it for use only with Client Authentication and bumped up some settings like client/server OS compatibility and key strength.
Originally I enabled "Do not automatically reenroll if a duplicate certificate exists in Active Directory" but that didn't work as I expected (still resulted in multiple certificates per test user from the various computer sessions each person had).
I then made another template in order to use Credential Roaming and stopped issuing based on the previous template. According to the following link credential roaming requires a version 3 template which I can't set except at the time of template creation so both templates still exist but I'm only issuing for the v3 one.
http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx
The certificate template/autoenrollment now appears to function as I intended with only 1 instance of this certificate type per user being enrolled and stored in AD although not consistently. Right now I have none listed on my user properties but earlier I had 1!
Now I have a problem where certificates from the latest template don't work with the NPS rules I have setup. I get the message "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" in the NPS server security event log.
The settings I changed between the 2 certificate templates were Compatibility for certificate recipient - increased to Windows 7/Server 2008 R2 from Windows XP/Server 2003, Provider Category changed to Key Storage Provider and Request hash changed to SHA256.
FYI our functional level for the parent domain containing the CA/NPS is 2003, our oldest DC is 2003 SP1 and newest is 2012.
I hope this makes sense - let me know if more detail is required to provide some ideas since my mind has been turned into a pretzel reading all about CAs, templates, autoenrollment and wireless authentication :)
Thanks for any hints
P.S. I am also having a bit of trouble understanding how a certificate is chosen. It looks like if you have multiple valid certificates it will just use whatever is available in the user store. We would like to only authenticate with certain certificates but have 1 or more legacy online root CAs on our domain with current valid Client Authentication capable certificates.
I've done a quite a bit of reading to get to the stage I'm at and I'm happy that I have a correctly configured, functioning 2 tier CA based on Windows 2012 R2 with an offline root.
Currently I am trying to use certificates with NPS for wireless user authentication. I have created a duplicate of the default User certificate template and modified it for use only with Client Authentication and bumped up some settings like client/server OS compatibility and key strength.
Originally I enabled "Do not automatically reenroll if a duplicate certificate exists in Active Directory" but that didn't work as I expected (still resulted in multiple certificates per test user from the various computer sessions each person had).
I then made another template in order to use Credential Roaming and stopped issuing based on the previous template. According to the following link credential roaming requires a version 3 template which I can't set except at the time of template creation so both templates still exist but I'm only issuing for the v3 one.
http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx
The certificate template/autoenrollment now appears to function as I intended with only 1 instance of this certificate type per user being enrolled and stored in AD although not consistently. Right now I have none listed on my user properties but earlier I had 1!
Now I have a problem where certificates from the latest template don't work with the NPS rules I have setup. I get the message "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" in the NPS server security event log.
The settings I changed between the 2 certificate templates were Compatibility for certificate recipient - increased to Windows 7/Server 2008 R2 from Windows XP/Server 2003, Provider Category changed to Key Storage Provider and Request hash changed to SHA256.
FYI our functional level for the parent domain containing the CA/NPS is 2003, our oldest DC is 2003 SP1 and newest is 2012.
I hope this makes sense - let me know if more detail is required to provide some ideas since my mind has been turned into a pretzel reading all about CAs, templates, autoenrollment and wireless authentication :)
Thanks for any hints
P.S. I am also having a bit of trouble understanding how a certificate is chosen. It looks like if you have multiple valid certificates it will just use whatever is available in the user store. We would like to only authenticate with certain certificates but have 1 or more legacy online root CAs on our domain with current valid Client Authentication capable certificates.