Require Computer Certificate And user credentials

Similar Messages

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• How to embedd author certificate and user digital signature?

  Hi,
  I want to implement Digital Signature in my pdf using Netweaver technology. I am working on an offline scenario.
  I have few question on this topic.
  1) Once I sign the pdf do the input-fields in them get locked? Is no then how do I lock them to ensure that they are not tampered?
  2) How to pass the certificate along with the pdf? Can I pass it through an email?
  3) Is the digital signature completely done on Adobe Reader side or the program side?
  Please reply urgently...
  Thanks,
  Vishal

  hi
  i've the same problem. i've found this solution, but you need download a JCE Provider that allow you to read the explorer certificate store.
  You can try this one: https://download.assembla.se/jceprovider/
  and the code:
  import se.assembla.*;
  public class Listcerts {  
       public static void list() throws Exception{
            java.security.Security.insertProviderAt(new se.assembla.jce.provider.ms.MSProvider(), 2);
            KeyStore ks = KeyStore.getInstance("MSKS","assembla");
            ks.load(null,null);
            X509Certificate cert=null;
            String alias=null;
            int count=0;
            for (java.util.Enumeration e=ks.aliases();e.hasMoreElements();){
                      alias=(String)e.nextElement();
                      cert=(X509Certificate)ks.getCertificate(alias);
                      System.out.println("\n Certificado alias"+alias+":");
                      System.out.println(cert);
                 count++;
            System.out.println ("NUM CERTS="+count);
  now, i need the same solution for Firefox browser XP
  good luck
  Message was edited by:
  meteko

• Require cert and domain credentials to authenticate?

  Is there a way to require a machine certificate AND domain credentials to authenticate to a wireless network (Cisco LWAPP, ACS, AD)? 
  My objectives are:
  Permit access from corporate hardware ONLY, i.e., prevent users from logging from a personal laptop or PDA using their domain credentials.
  Validate that an employee is logging on to the network. 
  My current PEAP implementation only satisfies the second condition and from everything I have read EAP-TLS will only satisfy the first.  Is there a solution?
  thanks

  PEAP or EAP-TLS with machine auth will do  the first one then the user can log in as normal with their user credentials.

• Checking Computer AND User Account against AD without TLS

  Hi Folks,
  i am working on a customer site with 5500/ACS5.2/AD/WZC. The Customer looks for a good Authentication Scenario but decides against TLS. So we tested PEAP with checking the AD for a valid Computer Account and User Auth. But, if i use a Laptop with no Domain Computer Account but a valid User Account, i  can gain Access. Is it possible that the ACS can check for a valid Computer AND User Account and successes the Client only if both Accounts are available and valid?
  Regards, Michael

  Hi Nicolas, thx for this Hint. I did  today the Host Lookup and "was machin auth" thing, but anyway, my own Laptop
  that is not in the Domain can connect with a Domain User ID to the Network. Any Hint or Trick? I saw on other Discussions you referred to that some Users did an AD Rejoin, what do you think?
  Regards, Michael

• What do I need the Computer certificate for in an Active Directory domain? Theoretical Inquiry

  So we are trying to clean up the thousands of certificate we have deployed.  We are on a 2008 R2 Active Directory and have been using certs for about a decade.  With all of our machines auto enrolling in Computer certificates and renewing every
  year we have maybe 50,000 certificates, yes some are expired already but its a nightmare to manage.  So what do we need the Computer certificate on all the Windows machines for anyway, some are XP most are Windows 7.
  Is the Computer certificate required for Kerberos authentication?
  If we don't need it I rather stop publishing the Computer template and simplify our lives.
  Please explain (I am not new to PKI, though this question may make me seem like a novice) I get the Web Certs, EFS, etc.

  Computer certificates are not needed for Kerberos authentication.
  They are typically used for 802.1x WLAN or wired authentication, or they might be used for VPN logon. Then you might used them for IPsec / "domain isolation" or perhaps DirectAccess or related solutions by other vendors.
  So they are needed for some sort of "network isolation" but they are not required for default AD operations. With some the mentioned scenarios (e.g. 802.1x / IPsec) you have the choice to pick either certificates or other credentials.
  Elke

• Excel Services and User Specific Data

  Hello,
  I am new to Excel Services.
  I want to retrieve data to Excel Services (at this phase, to prevent it in Excel Web Part) from SQL Server.
  The SQL might hold big amount of data so I think about fetching only the data relevant to each user.
  I configured a pivot table over a data connection with Windows Authentication, and when I refresh it I get the following message "The data connection uses windows authentication and user credentials could not be delegated". I think the Windows
  Authentication is required in order to pass information about the user to the SQL query so it can filter for the relevant data.
  My questions are as follows:
   Can I pass user information from the Excel model file to the SQL server in a way different from Windows Authentication?
  Alternatively, if I retrieve the data unfiltered to Excel Services, and filter only the pivot, will I get the same performance?
  Would the answers change if Excel and/or SharePoint version is changed from 2010 to 2013 or Online/365?
  Any other idea?
  Regards,
  Barak

  Hi,
  According to your post, my understanding is that you wanted to filter Excel Services Data.
  You can you can connect the Excel Web Access Web Part to a Current User Web Part or a Filter Web Part to pass user information. Please refer to:
  Personalized Data in Excel Services
  You will get the same performance.
  You can connect the Excel Web Access Web Part to a Current User Web Part in all versions.
  More information:
  Connecting Dashboard Filters to Excel Services Pivot Table Report Filters
  Thanks,
  Linda Li                
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Linda Li
  TechNet Community Support

• Revoked Computer certificate, still appears within the pc

  Hello,
     I have just revoked a Computer certificate, from my Domain Controller (the one that holds the Certificate Services).
  When I log into this computer, and I go to MMC, I still see the Computer Certificate, and it seems to be running, beecause I don't see any red alert sign, saying "This certificate is revoked" or something like that.
  Just in case, I restarted the computer twice and restarted the Certificate service in the domain controller.
    This domain controller is issuing User certificates all right, as I have just tested, to figure out why all this is happening.
  Do I have to manually remove the certificate from the pc?, then, what is the use of revoking it from the Certificate Services Server ?.
  Thanks a lot in advance!
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  First, when you open certificate, only certification path is constructed. NO REVOCATION CHECKING IS PERFORMED. If the certificate was issued manually, then you will have to manually remove it from the server. If the certificate was issued via autoenrollment,
  then autoenrollment will automatically remove it (if Autoenrollment policy in GPO is configured to remove revoked certificates).
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• AX resets wireless connection to "require a certificate"

  I've established connection but, apparently, the Airport Utility resets my wireless network to require a certificate and can't "validate identity" something my Linksys wireless is not set up to do. Is there a Utility setting that does not require or force the certificate? The connection goes on and off, much more off than on apparently looking for the certificate

  kilometro, Welcome to the discussion area!
  There is nothing on Apple's base stations that cause such a prompt. What is the AirPort Express (AX) connected to?

• I re-formatted my pc and changed its name and user name. But after formatting firefox sync is not showing my previous bookmarks.

  Hi guys i Formatted my pc and after formatting now firefox is not showing my previous bookmarks
  I changed my computer name and user name
  and i dont remember what was previous name of my computer

  Did you reset the password of the Firefox account or did you still remember the password?
  The new Sync version used in Firefox 29 and later still uses a Sync key to encrypt data locally before uploading, but this Sync key is generated internally from the password of your Firefox account, so you no longer need to worry about it.
  This also means that the Sync key changes when you change (reset) the password of the Firefxo account and you lose all data stored on the Sync server when doing that.

• TDS (Witholding) Certificate config & user steps

  Hi Gurus,
  Kindly help me in configuring withholding tax certificate and user steps to generate as well as take its print out.
  Regards,
  Vikas

  Hi Viki
  Follow the path given below
  IMG-FA-Financial Accounting Global Settings-Withholding Tax-Extended Withholding Tax-Postings-Certificate Numbering for Withholding Tax
  Do the configuration:
  1.Define numbering Class: No. Class - Give the Plant Code say for Ex. Delhi Plant -DEL followed by text.
  2.Define numbering Groups: As 000001 and text as no. group for Delhi Plant.
  3.Define Number Ranges: Enter each no. group and accordingly maintain the no. range for each group.
  4.Assign no. group to no. class
  Later in the same path select INDIA
  Select the WHtax Certificate for Vendors/Customers
  1.Maintain No. groups for SAP Script Forms Here give these inputs
  Company code, Section Code - DEL, Official Wtax Key - 194C/194A etc Form:J_1IEWT_CERT and finally the no. group 01/02/03 maintained in the no. class.
  2.Assign no. ranges to the no. groups
  3.Finally maintain the no. ranges
  After the initial configuration go to the TC: J1ILN
  Select the Tax Deduction at Source - Ext. Wthax - Vendor Certificates - and follow as given.
  This is the entire configuration settings to Witholding Taxes Certificate Generationand hope this will solve your problem.
  regards
  Murali Kanth Natti

• Multiple additional SIP domains - certificate and DNS requirements

  We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
  This is working successfully internally, externally and through Lync Mobile.
  However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
  In other words, user A has a primary SMTP and SIP address of
  UserA@aaaaa_group.com
  However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
  There must be in excess of 40 to 50
  of these other domains in use as primary SMTP addresses.
  (Nearly all
  these users have secondary SMTP addresses of aaaaa_group.com).
  I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
  I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them. 
  Wilcard certificates aside, what are the names that will I need to add to my SAN certificates?  Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
  The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull.  However, I still need to report back with a cost of doing this, no matter
  what it is.
  Any thoughts/comments would be very welcome. :-)

  Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards.  So you may be able to use wildcards,
  but do plenty of research on how to approach this.  Here are some articles to get started:
  http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
  http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
  That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
  For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
  sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
  The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
  FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
  FQDNs.
  For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry.  The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
  SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync.  Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
  have to add all those as well.
  So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work.  And even if you do have some of those devices you could simply add the 40-50
  sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc.  Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
  domain name entry in the CN and then place the wildcard entries in the SAN field.  It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
  For example:
  Edge Server external certificate
  Common Name: sip.domain1.com
  Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
  etc...
  Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

• Unable to enroll Computer certificates on Server 2008 R2 and older

  I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer
  certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still
  works.
  I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks
  > Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates
  I want are listed with:
  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this
  operation, or the CA is not trusted."
  I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that
  the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.
  Any ideas?
  Thank you!

  Hi Amy.
  Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.
  I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.
  I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I
  went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.
  We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012
  on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.
  Alan

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan