Planning a Certificate Infrastructure to Support Client Authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The authentication methods that are deployed for remote access clients determine whether or not your remote access design requires a certificate infrastructure.

A certificate infrastructure is required for L2TP/IPSec-based VPN connections, because certificates are used to negotiate IPSec peer authentication. For PPTP-based VPN connections, a certificate infrastructure is required if either smart cards or certificates and EAP-TLS authentication are in use. Password-based authentication protocols, such as MS-CHAP v2, do not use certificates in authentication; therefore, a certificate infrastructure is not required.

Table 8.4 shows where you must install certificates to support remote access clients over L2TP/IPSec-based VPN connections and over PPTP-based connections using EAP-TLS. For EAP-TLS authentication, L2TP/IPSec-based VPN connections require one more certificate on the VPN client than PPTP-based VPN connections require.

Table 8.4   Certificate Infrastructures Required for Remote Access Client Authentication

VPN/Authentication Protocol Required Certificate Infrastructure

L2TP/IPSec-based VPN connection
  • Install a computer certificate on the VPN server.

  • Install a computer certificate on each VPN client.

PPTP-based VPN connection using smart cards and EAP-TLS
  • Install a computer certificate on the authenticating server for the VPN server.

  • Install a user certificate on each smart card.

PPTP-based VPN connection using registry-based user certificates and EAP-TLS
  • Install a computer certificate on the authenticating server for the VPN server.

  • Install a user certificate on each VPN client.

If your PPTP-based VPN connections require a certificate infrastructure, install a computer certificate on the authenticating server for the VPN server. If you are using smart cards, install a user certificate on each smart card distributed to a VPN client user. If you are using registry-based user certificates with EAP-TLS authentication, install a user certificate on each VPN client.

For an L2TP/IPSec-based VPN connection, install a computer certificate on all VPN clients and on the VPN server. A certificate infrastructure is also required when you are using either smart cards or certificates and EAP-TLS for user authentication.

For more information about certificate requirements, see "Network access authentication and certificates" in Help and Support Center for Windows Server 2003.

For more information about deploying certificate services to support L2TP/IPSec, see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit.