Integrate IAS with the Certificate Infrastructure

Article
10/08/2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Whether you need a certificate infrastructure for IAS depends on whether you are using EAP-TLS as your authentication protocol. If you are using EAP-TLS, you need a certificate infrastructure for your clients. Otherwise, you do not.

A certificate infrastructure consists of the following components:

One or more certificate servers
An IAS server with a certificate
Clients with certificates

For more information about how to design a certificate infrastructure, see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit.

When planning how to distribute certificates to clients, decide the following:

Whether to use a computer certificate or a user certificate. Computer certificates are available in Windows Server 2003 and Windows 2000. Use them for servers and for computers on a LAN that do not often move. User certificates are new for Windows Server 2003. Use them for roaming users, such as wireless users.
How to install the certificate. After the certification authority (CA) is configured, you can install a certificate in three ways. Table 7.3 shows each method and when to use it.

Table 7.3 Selecting a Certificate Installation Method

Installation Method	When to Use
By using Group Policy to configure auto-enrollment of computer certificates to computers in a Windows Server 2003 domain.	Use this method if you have large numbers of domain member clients that you need to enroll. In this case, setting up a Group Policy takes less time than manually obtaining certificates. This method has the advantage that after auto-enrollment is configured and enabled, all domain member computers receive computer certificates when Group Policy is refreshed next, whether the refresh is triggered manually with the gpupdate command, or by logging on to the domain. If you use auto-enrollment for user certificates, any user with a valid password can obtain a certificate. This makes your certificate authentication the same as password-based authentication.
By using Certificate Manager to obtain a computer certificate.	Use this method if you have only a few computers, such as IAS servers.
By using Microsoft Internet Explorer and Web-based enrollment.	Use this method if the client is not a member of the domain. Use this method or smart cards for user certificates.

By using Group Policy to configure auto-enrollment of computer certificates to computers in a Windows Server 2003 domain.

Use this method if you have large numbers of domain member clients that you need to enroll. In this case, setting up a Group Policy takes less time than manually obtaining certificates.

This method has the advantage that after auto-enrollment is configured and enabled, all domain member computers receive computer certificates when Group Policy is refreshed next, whether the refresh is triggered manually with the gpupdate command, or by logging on to the domain.

If you use auto-enrollment for user certificates, any user with a valid password can obtain a certificate. This makes your certificate authentication the same as password-based authentication.

By using Certificate Manager to obtain a computer certificate.

Use this method if you have only a few computers, such as IAS servers.

By using Microsoft Internet Explorer and Web-based enrollment.

Use this method if the client is not a member of the domain.

Use this method or smart cards for user certificates.

For specific information about how to perform these steps, see "Computer certificates for certificate-based authentication" in Help and Support Center for Windows Server 2003.

For more information about certificate enrollment methods and domain membership, see "Network access authentication and certificates" in Help and Support Center for Windows Server 2003.

Integrate IAS with the Certificate Infrastructure

Additional resources