Install Computer Certificates for IAS Servers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you are using PEAP-EAP-MS-CHAPv2 or EAP-TLS, you must install a computer certificate on your IAS servers. That certificate must be issued from a CA that can follow a certificate chain to a root CA that is trusted by the access clients. Likewise, the IAS server must trust the root CA of the CA that issued the user or computer certificate to the access client.

You can install multiple computer certificates on the IAS servers and configure separate remote access policies to use different computer certificates. However, you can select only a single certificate for all remote access policies that specify authentication by using EAP-TLS.

The server certificate must also contain the Server Authentication purpose in Enhanced Key Usage extensions, and meet other certificate requirements for PEAP and EAP authentication.

To install a certificate on the IAS server, you can use Group Policy and auto-enrollment, the CA Web enrollment tool provided with Certificate Services for Windows Server 2003, or you can request a certificate by using the Certificates snap-in.

For more information about certificate requirements for PEAP and EAP, see "Network access authentication and certificates" in Help and Support Center for Windows Server 2003.