Joining a Windows Vista Wired Client to a Domain

Writer: Joe Davies

On This Page

Abstract
Introduction
Methods for Joining a Wired Client to a Domain
User Configures Their Wired Computer with a Bootstrap Wired Profile Using an XML File and Joins the Domain
User Manually Configures Wired Computer with Bootstrap Profile
Appendix A: Configuring a Bootstrap Wired Profile
Appendix B: Joining a Windows Vista client to a Domain
For More Information

Abstract

Wired client computers running Microsoft® Windows Vista™ can use a temporary wired profile to obtain connectivity to a secure wired network and join an Active Directory® directory service domain. This temporary wired profile, known as a bootstrap wired profile, requires the connecting user to manually specify their domain user account credentials and does not validate the certificate of the Remote Authentication Dial-in User Service (RADIUS) server. After joining the domain, the wired client uses a new wired profile that automatically leverages the credentials of the computer and user account and validates the credentials of the RADIUS server. This article describes two methods of configuring a bootstrap wired network profile.

Introduction

Typical wired clients need either domain credentials (name/password) or a certificate to perform authentication for secure wired access. To join the domain and receive domain credentials or certificates, wired client computers need a successful connection to the wired network that contains the domain controllers of the domain. To access a secure wired network and join a computer to a domain, the wired client user must manually provide their domain user name and password. Once connected to the wired network, the wired client user can join the computer to the domain.

In 802.1X-authenticated wired networks, wired clients need to provide security credentials that are authenticated by a RADIUS server. These credentials could include a username and password (for Protected EAP [PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2]) or certificates (for EAP-Transport Layer Security [TLS]). For either PEAP-MS-CHAP v2 or EAP-TLS, the wired client also validates a computer certificate sent by the RADIUS server during the authentication process. This is the default behavior of the Windows wired client. This behavior can be disabled, but is not recommended in production environments.

If the RADIUS server is using computer certificates from a commercial public key infrastructure (PKI), such as VeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is already installed, the wired client can validate the RADIUS server's computer certificate, regardless of whether the wired client has joined the Active Directory domain.

If the RADIUS server is using computer certificates from a private PKI that is integrated with Active Directory (such as one that is based on Windows Server® 2003 Certificate Services), a wired client that has not yet joined the domain does not have the root CA certificate of the RADIUS server's computer certificate and the authentication process by default will fail. After the wired client has joined the domain, the root CA certificate of the RADIUS server's computer certificate is automatically installed.

This article describes methods that configure Windows Vista-based wired clients with a wired profile to perform manual PEAP-MS-CHAP v2 authentication but not validate the RADIUS server's computer certificate. After connecting to the wired network, the wired client computer joins the domain and receives the appropriate root CA certificate. The computer user (manually) or the IT administrator (through Group Policy) can reconfigure or override the wired profile so that PEAP-MS-CHAP v2 authentication validates the RADIUS server's computer certificate and automatically uses domain credentials.

If the IT administrator overrides the manually-configured wired profile with Group Policy, the Group Policy-based wired profile must be configured to perform computer authentication (the default behavior). If the computer cannot use its account and credentials to obtain a wired connection, the user will be unable to logon to the computer with their domain credentials because they cannot be validated by a domain controller.

Methods for Joining a Wired Client to a Domain

This section describes the following methods for joining a wired client to a domain:

  • User configures their wired computer with a bootstrap wired profile using an Extensible Markup Language (XML) file and joins the domain

  • User manually configures wired computer with bootstrap wired profile and joins the domain

User Configures Their Wired Computer with a Bootstrap Wired Profile Using an XML File and Joins the Domain

In this method, the user configures their wired computer with a bootstrap wired profile using an XML file and script that has been configured by an IT administrator. The bootstrap wired profile configured by the XML file allows the user to establish a wired connection and then join the domain.

The following are the steps for this method:

  1. An IT administrator configures another Windows Vista-based wired computer with a bootstrap wired profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled.

  2. The IT administrator exports the bootstrap wired profile to an XML file with the netsh lan export profile command and creates a script file to execute that will automatically add the profile on the user's computer.

    For the details of configuring the bootstrap wired profile and exporting it to an XML file, see "Appendix A: Configuring a Bootstrap Wired Profile" in this article.

  3. The IT administrator distributes the new wired computer, the XML file containing the bootstrap wired profile, and the script file to the user using an appropriate method. The script file contains the netsh lan add profile XML_File_Name Connection_Name command.

    For example, the XML file can be stored on a USB flash drive with a script for the user to run to add the bootstrap wired profile.

  4. The user starts the computer and performs a logon using a local computer account.

  5. The user runs the script file to add the bootstrap wired profile.

  6. After the script is run, Windows Vista attempts to connect to the wired network and prompts the user for an account name and password.

  7. The user types their domain user account name and password and the Windows Vista client computer connects to the wired network.

  8. The user joins the computer to the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article.

User Manually Configures Wired Computer with Bootstrap Profile

In this method, the user manually configures their wired computer with a bootstrap wired profile based on instructions from an IT administrator. The bootstrap wired profile allows the user to establish a wired connection and then join the domain.

The following are the steps for this method:

  1. The IT administrator distributes to the user the instructions for configuring a bootstrap wired profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled.

  2. The user starts the computer and performs a logon using a local computer account.

  3. The user executes the steps in the instructions to configure the bootstrap wired profile (see "Appendix A: Configuring a Bootstrap Wired Profile" in this article).

  4. After the bootstrap wired profile is configured, Windows Vista attempts to connect to the wired network and prompts the user for an account name and password.

  5. The user types their domain user account name and password and the Windows Vista client computer connects to the wired network.

  6. The user joins the computer to the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article.

Appendix A: Configuring a Bootstrap Wired Profile

To configure a bootstrap wired profile, do the following:

  1. From the Windows Vista desktop, click Start, and then click Control Panel.

  2. Click System and Maintenance, and then click Administrative Tools.

  3. Double-click Services.

  4. In the list of services in the contents pane, double-click Wired AutoConfig Service.

  5. In Startup type, click Automatic. In Service Status, click Start, and then click OK.

  6. Close the Services window.

  7. From the Windows Vista desktop, click Start, and then click Control Panel.

  8. Click Network and Internet, and then click NetworkCenter.

  9. Click Manage network connections.

  10. Right-click your LAN connection, click Properties, and then click the Authentication tab.

  11. In Choose a network authentication method, click Protected EAP (PEAP), and then click Settings.

  12. In the Protected EAP (PEAP) Properties dialog box, clear the Validate server certificate check box.

  13. Click OK twice.

  14. Close the Network Connections window.

To export the settings of this bootstrap wired profile to an XML file, type the following command:

netsh lan export profile Folder Connection_Name

  • Folder is the name of the folder that stores the XML file. You can specify an absolute or relative path, "." for the current folder, or ".." for the parent folder.

  • Connection_Name is the name of the wired adapter for which the wired profile has been configured.

The netsh lan export profile command creates an XML file named after the specified connection. For example, to create an XML file containing the profile of the connection named Local Area Connection and store it in the current folder, you would use the following command:

netsh lan export profile . "Local Area Connection"

For this example, netsh creates a file in the current folder named "Local Area Connection.xml".

Appendix B: Joining a Windows Vista client to a Domain

After successfully connecting to the secure wired network, use Control Panel-System and Maintenance-System to do the following:

  1. Under Computer name, domain, and workgroup settings, click Change settings.

  2. From the System Properties dialog box, click Change.

  3. In the Computer Name Changes dialog box, type the computer name in Computer name. Click Domain and type the Active Directory domain name.

  4. Click OK.

  5. When prompted, type your domain name and password to join the computer to the domain.

  6. Restart the computer when prompted.

When computer is restarted, it automatically authenticates to the wired network using the computer's domain account credentials or certificate.

For More Information

For more information, consult the following resources: