Core Network Companion Guide: Deploying Server Certificates
Applies To: Windows Server 2008 R2
This is a companion guide to the Windows Server® 2008 R2 Core Network Guide, which is available in the Windows Server® 2008 and Windows Server® 2008 R2 Technical Library (http://go.microsoft.com/fwlink/?LinkId=154884).
The Core Network Guide is also available in Word format at the Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkId=157742.
The Windows Server 2008 R2 Core Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® domain in a new forest.
This guide explains how to build on the core network by providing instructions for deploying server certificates for computers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.
Server certificates are required when you deploy certificate-based authentication methods with Extensible Authentication Protocol (EAP) and Protected EAP (PEAP) for network access authentication.
Deploying server certificates with Active Directory Certificate Services (AD CS) for EAP and PEAP certificate-based authentication methods provides the following benefits:
Binding the identity of the server running NPS or the RRAS server to a private key
A cost-effective and secure method for automatically enrolling certificates to domain member NPS and RRAS servers
An efficient method for managing certificates and certification authorities (CAs)
Security provided by certificate-based authentication
The ability to expand the use of certificates for additional purposes
About this guide
This guide provides instructions for deploying server certificates to servers running NPS, RRAS, or both, by using AD CS in Windows Server 2008 R2.
This guide is designed for network and system administrators who have followed the instructions in the Windows Server 2008 R2 Core Network Guide to deploy a core network, or for those who have previously deployed the technologies included in the Core Network Guide, including Active Directory Domain Services (AD DS), Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, Network Policy Server (NPS), and Windows Internet Name Service (WINS).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Following are the requirements for using certificates:
To deploy server certificates by using autoenrollment, AD CS requires the Windows Server 2008 R2 Enterprise or Datacenter operating systems. AD DS must be installed before AD CS is installed. Although AD CS can be deployed on a single server, many deployments involve multiple servers configured as CAs.
To deploy PEAP or EAP for virtual private networks (VPNs), you must deploy RRAS configured as a VPN server. The use of NPS is optional; however, if you have multiple VPN servers, using NPS is recommended for ease of administration and for the RADIUS accounting services that NPS provides.
To deploy PEAP or EAP for Remote Desktop Gateway (RD Gateway), you must deploy RD Gateway and NPS.
In previous versions of Windows Server, Remote Desktop Services was named Terminal Services.
To deploy PEAP or EAP for 802.1X secure wired or wireless, you must deploy NPS and additional hardware, such as 802.1X-capable switches and wireless access points.
To deploy certificate-based authentication methods that require certificates for user and computer authentication in addition to requiring certificates for server authentication, such as EAP with Transport Layer Security (EAP-TLS) or PEAP-TLS, you must also deploy user or computer certificates through autoenrollment or by using smart cards.
What this guide does not provide
This guide does not provide comprehensive instructions for designing and deploying a public key infrastructure (PKI) by using AD CS. It is recommended that you review AD CS documentation and PKI design documentation before deploying the technologies in this guide. For more information, see the Additional Resources section later in this document.
This guide also does not provide detailed instructions for deploying the network access technologies for which server certificates can be used.
Following are technology overviews for EAP, PEAP, and AD CS.
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to an increasing demand for authentication methods that use security devices such as smart cards, token cards, and crypto calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.
With EAP, an arbitrary authentication mechanism is used to verify the identities of the client and server that are establishing a network access connection. The exact authentication scheme to be used is negotiated by the access client and the authenticator (the network access server or the RADIUS server).
With EAP authentication, both the network access client and the authenticator (such as the server running NPS) must support the same EAP type for successful authentication to occur.
Strong EAP types, such as those that are based on certificates, offer better security against brute-force attacks, dictionary attacks, and password-guessing attacks than password-based authentication protocols, such as CHAP or MS-CHAP, version 1.
EAP in Windows Server 2008
Windows Server 2008 includes an EAP infrastructure, two EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS) such as NPS.
By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2008 are:
Transport Layer Security (TLS)
Microsoft Challenge-Handshake Authentication Protocol, version 2 (MS-CHAP v2)
In addition, you can plug other EAP modules into the server running RRAS to provide other EAP methods.
PEAP uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running NPS or other Remote Authentication Dial-In User Service (RADIUS) server.
PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MSCHAP v2) that can operate through the TLS-encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers:
802.1X-capable wireless access points
802.1X-capable authenticating switches
Computers running Windows Server 2008 R2 and RRAS that are configured as VPN servers
Computers running Windows Server 2008 R2 and RD Gateway
Features of PEAP
To enhance the EAP protocols and network security, PEAP provides:
A TLS channel that provides protection for the EAP method negotiation that occurs between the client and server. This TLS channel helps prevent an attacker from injecting packets between the client and the network access server to cause the negotiation of a less secure EAP type. The encrypted TLS channel also helps prevent denial of service attacks against the server running NPS.
Support for the fragmentation and reassembly of messages, which allows the use of EAP types that do not provide this functionality.
Clients with the ability to authenticate the NPS or other RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
Protection against the deployment of an unauthorized wireless access point at the moment when the EAP client authenticates the certificate provided by the server running NPS. In addition, the TLS master secret that is created by the PEAP authenticator and the client is not shared with the access point. Because of this, the access point cannot decrypt the messages that are protected by PEAP.
PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the NPS or other RADIUS server. Fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for the client and the server, and it minimizes the number of times that users are prompted for credentials.
Active Directory Certificate Services
AD CS in Windows Server 2008 R2 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.