Computer certificates for certificate-based authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Computer certificates for certificate-based authentication

Before using Extensible Authentication Protocol-Transport Level Security (EAP-TLS), you must install a computer certificate (also known as a machine certificate) on the Internet Authentication Service (IAS) server computer. The installed computer certificate must be issued from a certification authority (CA) that can follow a certificate chain to a root CA that is trusted by the access clients. Additionally, in order for the IAS server to validate the user or computer certificate of the access client, the IAS server must install the certificate of the root CA that issued the user or computer certificate to the access clients.

For more information, see Network access authentication and certificates.

To install a computer certificate, a CA must be available to issue certificates. After the CA is configured, you can install a computer certificate on the IAS server:

  • By configuring the automatic allocation of computer certificates to computers in an Active Directory domain.

  • By using Certificate Manager to obtain a computer certificate.

  • By using Microsoft Internet Explorer and Web-based enrollment.

To configure a CA and install the computer certificate, complete the following steps:

  1. Install the Certificate Services component as an enterprise root CA. For more information, see Install an enterprise root certification authority. This step is only required if you do not already have an enterprise root CA.

    If necessary, configure the computer that is the CA to be a domain controller.

  2. To install the computer certificates through auto-enrollment, configure Group Policy on the Active Directory domain for automatic allocation of computer certificates. For more information, see Configure automatic certificate allocation from an enterprise CA.

    To create a computer certificate for the IAS server that is a member of the domain for which auto-enrollment is configured (and other computers that are members of the domain), restart the computer or type gpupdate /target:computer from a Command Prompt.

  3. To manually enroll computer certificates, use Certificate Manager to install both the CA root certificate of the access client and the computer certificate for the IAS server. For more information, see Manage certificates for a computer and Request a certificate.

  4. To manually enroll computer certificates with Internet Explorer, see Submit an advanced certificate request via the Web.


  • While Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition allow you to install multiple computer certificates, only a single certificate can be selected for all remote access policies that specify authentication through EAP-TLS.

  • An IAS server does not use a new certificate revocation list (CRL), which is published by the certification authority (CA), until the old CRL has expired. If a certificate has expired and the IAS server is checking against an old but unexpired CRL, the IAS server will allow clients with revoked certificates to connect to the network. To prevent this from happening, you can publish CRLs with short expiration times (one hour or longer).

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.