Certificate-based Authentication Protocols

Applies To: Windows Server 2008, Windows Server 2008 R2

Certificates are digital documents that are issued by certification authorities (CAs), such as Active Directory Certificate Services (AD CS) or the VeriSign public CA. Certificates can be used for many purposes, such as code signing and securing e-mail communication, but with Network Policy Server (NPS), certificates are used for network access authentication.

Certificates are used for network access authentication because they provide strong security for authenticating users and computers and eliminate the need for less secure password-based authentication methods.

In this section

Two authentication methods, when configured with certificate-based authentication types, use certificates: Extensible Authentication Protocol (EAP) and Protected EAP (PEAP). By using EAP, you can configure the authentication type Transport Layer Security (EAP-TLS), and with PEAP you can configure the authentication types TLS (PEAP-TLS) and Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2). These authentication methods always use certificates for server authentication. Depending on the authentication type configured with the authentication method, certificates might also be used for user authentication and client computer authentication.

Note

The use of certificates for authentication of virtual private network (VPN) connections is the strongest form of authentication available in Windows Server® 2008. You must use certificate-based authentication for VPN connections based on Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPsec). Point-To-Point Tunneling protocol (PPTP) connections do not require certificates, although you can configure PPTP connections to use certificates for computer authentication when you use EAP-TLS as the authentication method. For wireless clients, PEAP with EAP-TLS and smart cards or certificates is the recommended authentication method.

You can deploy certificates for use with NPS by installing and configuring the Active Directory Certificate Services (AD CS) server role. For more information, see the AD CS documentation.

Certificate types

When you use certificate-based authentication methods, it is important to understand the following types of certificates and how they are used:

  • CA certificate

    When present on client and server computers, tells the client or server that it can trust other certificates, such as certificates used for client or server authentication, that are issued by this CA. This certificate is required for all deployments of certificate-based authentication methods.

  • Client computer certificate

    Issued to client computers by a CA and used when the client computer needs to prove its identity to a server running NPS during the authentication process.

  • Server certificate

    Issued to NPS servers by a CA and used when the NPS server needs to prove its identity to client computers during the authentication process.

  • User certificate

    Issued to individuals by a CA and typically distributed as a certificate that is embedded on a smart card. The certificate on the smart card is used, along with a smart card reader that is attached to the client computer, when individuals need to prove their identity to NPS servers during the authentication process.

Certificate deployments and Active Directory replication

Some authentication methods, such as PEAP and EAP, can use certificates for authentication of computers and users. Latency in Active Directory replication might temporarily affect the ability of a client or server to obtain a certificate from a certification authority (CA). If a computer configured to use certificates for authentication cannot enroll a certificate, authentication fails.

This latency in Active Directory replication can affect your network access authentication infrastructure because the certificates used for client and server authentication are issued by CAs to domain member computers. In the moments after you have joined a client or server computer to the domain, it is possible that the only Active Directory global catalog server that has a record of the client or server computer's domain membership is the domain controller that handled the join request.

After a computer is joined to the domain, a restart of the computer is required. After the computer restarts and you log on to the domain, Group Policy is applied. If you have previously configured the auto-enrollment of client computer certificates or, for NPS servers, server certificates, this is the moment at which the new domain member computer requests a certificate from a CA.

Note

You can manually refresh Group Policy by logging on to the domain or by running the gpupdate command.

The CA in turn checks Active Directory to determine whether or not to issue a certificate to the client or server that has requested it. If Active Directory replication of the computer account has replicated across the domain, the CA can determine whether the client or server has the security permissions required to enroll a certificate. If Active Directory replication of the computer account has not replicated across the domain, however, the CA might not be able to verify that the client or server has the security permissions to enroll a certificate.

If this occurs, the CA does not enroll a certificate to the client or server computer. This circumstance has the following effect:

  • If a domain member client computer cannot enroll a client computer certificate, the client computer cannot be successfully authenticated by NPS servers when attempting to connect to the network by using any network access servers that are configured as RADIUS clients in NPS where the required authentication method is either EAP-TLS or PEAP-EAP-TLS. For example, if you have deployed RADIUS clients that are 802.1X wireless access points and you are using PEAP-EAP-TLS as your authentication method, client computers that do not have a client computer certificate cannot be authenticated and cannot access network resources.

  • If a domain member NPS server cannot enroll a server certificate, the NPS server cannot be successfully authenticated by client computers when they are attempting to connect to the network by using any network access servers that are configured as RADIUS clients in NPS where the required authentication method is EAP-TLS, PEAP-EAP-TLS, or PEAP-MS-CHAP v2, and where clients have the Validate server certificate setting enabled. These authentication methods provide mutual authentication, where both the access client and the NPS server authenticate each other, and the NPS server must have a server certificate to be successfully authenticated by client computers. If the NPS server does not have a server certificate, all connection requests that it receives where these authentication methods are required will fail, because client computers are unable to authenticate the NPS server.

For this reason, when you deploy certificate-based authentication methods, it is recommended that you design Active Directory replication times and the deployment of subordinate CAs in such a manner that you diminish the possibility that slow replication might negatively impact your network access authentication infrastructure.