Certificates required to join domain

TheMSsForum.com: The Microsoft Software Forum

i am running windows 2003 server in mixed mode. we have a enterprise CA.
is it possible to require a valid certificate on a workstation to join a
domain and access resources in the domain? as part of that can you setup a
way to notify you if a computer is plugged in to the network so it
can get a valid certificate installed by an administrator?
Top

Re: Certificates required to join domain by Steve

Steve
Wed Dec 22 17:31:15 CST 2004

Not without some work. There is no "require certificate to join domain" checkbox
or policy object. But you can implement domain-wide IPsec ESP null (authentication
but no encryption) to achieve the same result. We do it internally on our
corpnet and many customers have deployed it, too. We've named this concept
"domain isolation."

More information on our deployment, including a downloadable version of the
paper:
http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx

The first of a two-part series I'm writing on IPsec; part 2 will include
domain isolation:
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint121504.mspx

Steve Riley
steriley@microsoft.com



> i am running windows 2003 server in mixed mode. we have a enterprise
> CA.
> is it possible to require a valid certificate on a workstation to join
> a
> domain and access resources in the domain? as part of that can you
> setup a
> way to notify you if a computer is plugged in to the network so it
> can get a valid certificate installed by an administrator?


Top

Re: Certificates required to join domain by Roger

Roger
Thu Dec 23 01:41:42 CST 2004

And on the second part of your inquiry, I am not aware of a
cheap/handy way to be "notified" if something just plugs in.
But, you can look at solutions based on vlan isolation. When
a machine attempts to acquire an IP it is can be shunted
to a quanrantine where it can only do such as attempt to
acquire its machine cert; and then combine this with 802.1x
control over use of the network at large so that "just plugging
in" becomes useless unless the proper IP acquisition method
is used.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"bhanke" <bhanke@lrri.org> wrote in message
news:uLVx7XH6EHA.3124@TK2MSFTNGP11.phx.gbl...
> i am running windows 2003 server in mixed mode. we have a enterprise CA.
> is it possible to require a valid certificate on a workstation to join a
> domain and access resources in the domain? as part of that can you setup
a
> way to notify you if a computer is plugged in to the network so it
> can get a valid certificate installed by an administrator?
>
>


Top