Machine Certificates for L2TP/IPSEC

[Wil]

Hi,

I have set up a test lab with 3 computers and one Server.
One of the computers was set up as a certificate server
(Stand alone) and the Server was set up to do L2TP/Ipsec.
The 4 computers are not in a domain. Everything works
fine. For L2TP/IPSEC machine certificates are needed to be
installed on both the client PC and the VPN Server. What I
am trying to do is make sure that for every user that is
meant to access the VPN server a machine certificate is
installed on both the server and the client pc are
installed so that in case the user's Laptop gets stolen
then all what needs to be done is delete the certificate
for that user from the VPN server. I need ideas on how to
go about doing that? How do I associate a certain MACHINE
CERTIFICATE with a particular user?

Help would be greatly appreciated.
Thanks

 

[Steven L Umbach]

You can't really associate a machine certificate with a user. You can restrict who
can log onto a computer via user right assignments. Certificates are not deleted from
a CA, they are revoked and published in the CRL which is available to users/computer
via a share or download via Certificate Web Services. A bigger concern is that users
not be allowed to save their logon credentials for vpn logon via the vpn client
connection. If a laptop is stolen, it is fairly easy to reset the administrators
password and if the vpn logon credentials are saved, bingo they are in your network.
You may want to activate a boot/hard disk access password on the laptops if they can
be configured, but if that password is lost then you probably need to send the laptop
to the manufacturer to have it reset. See related links below. ---Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;313281

 

[loeki]

-----Original Message-----
Hi,

I have set up a test lab with 3 computers and one Server.
One of the computers was set up as a certificate server
(Stand alone) and the Server was set up to do L2TP/Ipsec.
The 4 computers are not in a domain. Everything works
fine. For L2TP/IPSEC machine certificates are needed to be
installed on both the client PC and the VPN Server. What I
am trying to do is make sure that for every user that is
meant to access the VPN server a machine certificate is
installed on both the server and the client pc are
installed so that in case the user's Laptop gets stolen
then all what needs to be done is delete the certificate
for that user from the VPN server. I need ideas on how to
go about doing that? How do I associate a certain MACHINE
CERTIFICATE with a particular user?

Help would be greatly appreciated.
Thanks

.

 

[Laudon Williams [MSFT]]

Machine certificates are machine certificates because they are associated
(by name) to the machine. There is no way to associate them to the user. The
link below has a lot of good information on Microsoft's PKI and how it
works:
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx