Windows Server® 2012 Core Network Companion Guide: Server Certificate Deployment
Microsoft Corporation
Published: May, 2012
Authors: James McIllece and Kurt Hudson
Abstract
The Windows Server 2012 Core Network Guide provides instructions for planning and deploying the components required for a fully functioning network and a new Active Directory® domain in a new forest.
This guide explains how to build upon the foundation network by deploying server certificates for computers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both. Server certificates are required when you deploy certificate-based authentication methods with Extensible Authentication Protocol (EAP) and Protected EAP (PEAP) for network access authentication. Deploying server certificates with Active Directory Certificate Services (AD CS) for EAP and PEAP certificate-based authentication methods provides the following benefits:
- Binding the identity of the NPS or RRAS server to a private key
- A cost-efficient and secure method for automatically enrolling certificates to domain member NPS and RRAS servers
- An efficient method for managing certificates and certification authorities
- Security provided by certificate-based authentication
- The ability to expand the use of certificates for additional purposes
Copyright Information for Core Network Guide Documentation
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, OneApp, SQL Server, Windows, and Windows Server are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners
Contents
Core Network Companion Guide: Server Certificate Deployment
Prerequisites for using this guide
About this guide
Requirements for deploying server certificates
What this guide does not provide
Technology overviews
EAP
EAP in Windows Server 2012
PEAP
Features of PEAP
Active Directory Certificate Services
Server Certificate Deployment Overview
Server certificate deployment components
CA1 running the AD CS server role
CAPolicy.inf
Copy of the RAS and IAS servers certificate template
Additional CA1 configuration
WEB1 running the Web Services (IIS) server role
Virtual directory for the CRL and AIA
DC1 running the AD DS and DNS server roles
Group Policy default domain policy
DNS alias (CNAME) resource record
NPS1 running the Network Policy Server role service of the Network Policy and Access Services server role
Group Policy applied and certificate enrolled to NPS1
Server certificate deployment process overview
Server Certificate Deployment Planning
Plan basic server configuration
Plan domain access
Plan the location and name of the virtual directory on your Web server
Plan a DNS alias (CNAME) record for your Web server
Plan configuration of CAPolicy.inf
Plan configuration of the CDP and AIA extensions on CA1
Plan the copy operation between the CA and the Web server
Plan the configuration of the server certificate template on the CA
Server Certificate Deployment
Create an Alias (CNAME) Record in DNS for WEB1
Configure WEB1 to Distribute Certificate Revocation Lists (CRLs)
Prepare the CAPolicy.inf File
Install the Certification Authority
Configure the CDP and AIA Extensions on CA1
Copy the CA Certificate and CRL to the Virtual Directory
Configure the Server Certificate Template
Configure Server Certificate Autoenrollment
Refresh Group Policy
Verify NPS Server Enrollment of a Server Certificate
Additional Resources
Core Network Companion Guide: Server Certificate Deployment
The Windows Server 2012 Core Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® domain in a new forest.
This guide explains how to build on the core network by providing instructions for deploying server certificates for computers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.
Tip
This guide is also available in Word format at the Microsoft Download Center (
This guide contains the following sections.
Prerequisites for using this guide
About this guide
What this guide does not provide
Technology overviews
Server Certificate Deployment Overview
Server Certificate Deployment Planning
Server Certificate Deployment
Additional Resources
Prerequisites for using this guide
This is a companion guide to the Windows Server 2012 Core Network Guide. To deploy server certificates with this guide, you must first do the following.
Deploy a core network using the Core Network Guide, or already have the technologies provided in the Core Network Guide installed and functioning correctly on your network. These technologies include TCP/IP v4, DHCP, Active Directory Domain Services (AD DS), DNS, NPS, and Web Server (IIS).
Notes
The Windows Server 2012 Core Network Guide is available in the Windows Server 2012 Technical Library (
The Core Network Guide is also available in Word format at the Microsoft Download Center (
About this guide
This guide provides instructions for deploying server certificates to servers running NPS, RRAS, or both, by using ADCS in Windows Server 2012.
Server certificates are required when you deploy certificate-based authentication methods with Extensible Authentication Protocol (EAP) and Protected EAP (PEAP) for network access authentication.
Deploying server certificates with Active Directory Certificate Services (ADCS) for EAP and PEAP certificate-based authentication methods provides the following benefits:
Binding the identity of the server running NPS or the RRAS server to a private key
A cost-effective and secure method for automatically enrolling certificates to domain member NPS and RRAS servers
An efficient method for managing certificates and certification authorities (CAs)
Security provided by certificate-based authentication
The ability to expand the use of certificates for additional purposes
This guide is designed for network and system administrators who have followed the instructions in the Windows Server 2012 Core Network Guide to deploy a core network, or for those who have previously deployed the technologies included in the Core Network Guide, including Active Directory Domain Services (ADDS), Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, Web Server (IIS), and Network Policy Server (NPS).
Important
This guide, which provides instructions for deploying server certificates using an online Enterprise Root certification authority (CA), is designed for small organizations that have limited computing resources. For security reasons - if your organization has the computing resources - it is recommended that you deploy an offline Enterprise Root CA in a two tier public key infrastructure (PKI). For more information, see Additional Resources.
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Requirements for deploying server certificates
Following are the requirements for using certificates:
To deploy server certificates by using autoenrollment, ADCS requires the Windows Server 2012 Standard, Enterprise, or Datacenter operating systems. ADDS must be installed before ADCS is installed. Although ADCS can be deployed on a single server, many deployments involve multiple servers configured as CAs.
To provide computers with access to the Authority Information Access (AIA) and certificate revocation list (CRL) that is generated by your certification authority, you must have a Web server that is properly configured according to the instructions in this guide.
To deploy PEAP or EAP for virtual private networks (VPNs), you must deploy RRAS configured as a VPN server. The use of NPS is optional; however, if you have multiple VPN servers, using NPS is recommended for ease of administration and for the RADIUS accounting services that NPS provides.
To deploy PEAP or EAP for Remote Desktop Gateway (RDGateway), you must deploy RDGateway and NPS.
Note
In previous versions of Windows Server, Remote Desktop Services was named Terminal Services.
To deploy PEAP or EAP for 802.1X secure wired or wireless, you must deploy NPS and additional hardware, such as 802.1X-capable switches and wireless access points.
To deploy certificate-based authentication methods that require certificates for user and computer authentication in addition to requiring certificates for server authentication, such as EAP with Transport Layer Security (EAP-TLS) or PEAP-TLS, you must also deploy user or computer certificates through autoenrollment or by using smart cards.
What this guide does not provide
This guide does not provide comprehensive instructions for designing and deploying a public key infrastructure (PKI) by using ADCS. It is recommended that you review ADCS documentation and PKI design documentation before deploying the technologies in this guide. For more information, see the Additional Resources section later in this document.
This guide does not provide instructions on how to install Web Server (IIS) or Network Policy Server technologies on server computers; those instructions are provided in the Core Network Guide.
This guide also does not provide detailed instructions for deploying the network access technologies for which server certificates can be used.
Technology overviews
Following are technology overviews for EAP, PEAP, and ADCS.
EAP
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to an increasing demand for authentication methods that use security devices such as smart cards, token cards, and crypto calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.
With EAP, an arbitrary authentication mechanism is used to verify the identities of the client and server that are establishing a network access connection. The exact authentication scheme to be used is negotiated by the access client and the authenticator - the network access server or the Remote Authentication Dial-In User Service (RADIUS) server.
With EAP authentication, both the network access client and the authenticator (such as the server running NPS) must support the same EAP type for successful authentication to occur.
Important
Strong EAP types, such as those that are based on certificates, offer better security against brute-force attacks, dictionary attacks, and password-guessing attacks than password-based authentication protocols, such as CHAP or MS-CHAP, version 1.
EAP in Windows Server 2012
Windows Server 2012 includes an EAP infrastructure, EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS) such as NPS.
By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2012 are:
Transport Layer Security (TLS). EAP-TLS requires the use of computer certificates or user certificates, in addition to server certificates that are enrolled to computers running NPS.
Microsoft Challenge-Handshake Authentication Protocol, version 2 (MS-CHAP v2). This EAP type is a password-based authentication protocol. When used within EAP as the authentication method EAP-MS-CHAP v2, NPS and RRAS servers provide a server certificate as proof of identity to client computers, while users prove their identity with a user name and password.
Tunneled Transport Layer Security (TTLS). EAP-TTLS is new in Windows Server 2012 and is not available in other versions of Windows Server. EAP-TTLS is a standards-based EAP tunneling method that supports mutual authentication. EAP-TTLS provides a secure tunnel for client authentication using EAP methods and other legacy protocols. EAP-TTLS also provides you with the ability to configure EAP-TTLS on client computers for network access solutions in which non-Microsoft Remote Authentication Dial In User Service (RADIUS) servers that support EAP-TTLS are used for authentication.
In addition, you can install other non-Microsoft EAP modules on the server running NPS or Routing and Remote Access to provide other EAP authentication types. In most cases, if you install additional EAP types on servers, you must also install matching EAP client authentication components on client computers so that the client and server can successfully negotiate an authentication method to use for connection requests.
PEAP
PEAP uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running NPS or other RADIUS server.
PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MSCHAP v2) that can operate through the TLS-encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers:
802.1X-capable wireless access points
802.1X-capable authenticating switches
Computers running Windows Server 2012 or Windows Server2008R2 and RRAS that are configured as VPN servers
Computers running Windows Server 2012 or Windows Server2008R2 and RDGateway
Features of PEAP
To enhance the EAP protocols and network security, PEAP provides:
A TLS channel that provides protection for the EAP method negotiation that occurs between the client and server. This TLS channel helps prevent an attacker from injecting packets between the client and the network access server to cause the negotiation of a less secure EAP type. The encrypted TLS channel also helps prevent denial of service attacks against the server running NPS.
Support for the fragmentation and reassembly of messages, which allows the use of EAP types that do not provide this functionality.
Clients with the ability to authenticate the NPS or other RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
Protection against the deployment of an unauthorized wireless access point at the moment when the EAP client authenticates the certificate provided by the server running NPS. In addition, the TLS master secret that is created by the PEAP authenticator and the client is not shared with the access point. Because of this, the access point cannot decrypt the messages that are protected by PEAP.
PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the NPS or other RADIUS server. Fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for the client and the server, and it minimizes the number of times that users are prompted for credentials.
Active Directory Certificate Services
ADCS in Windows Server 2012 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use ADCS to enhance security by binding the identity of a person, device, or service to a corresponding public key. ADCS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Server Certificate Deployment Overview
This topic contains the following sections.
Server certificate deployment components
Server certificate deployment process overview
Server certificate deployment components
You can use this guide to install Active Directory® Certificate Services (ADCS) as an Enterprise root certification authority (CA) and to enroll a server certificate to servers running Network Policy Server (NPS), Routing and Remote Access service (RRAS), or both NPS and RRAS.
If you deploy certificate-based authentication, servers running NPS and RRAS are required to use a server certificate to prove their identities to client computers that are attempting to connect to the network.
The following illustration shows the components that are required to deploy server certificates to your NPS server.
Note