Joining a Windows Vista Wireless Client to a Domain

Writer: Joe Davies

On This Page

Abstract
Introduction
Methods for Joining a Wireless Client to a Domain
Appendix A: Configuring a Bootstrap Wireless Profile
Appendix B: Joining a Windows Vista client to a Domain
For More Information

Abstract

Wireless client computers running Microsoft® Windows Vista™ can use a temporary wireless profile to obtain connectivity to a secure wireless network and join the Active Directory domain. This temporary wireless profile, known as a bootstrap wireless profile, requires the connecting user to manually specify their domain user account credentials and does not validate the certificate of the Remote Authentication Dial-in User Service (RADIUS) server. After joining the domain, the wireless client uses a new wireless profile that automatically leverages the credentials of the computer and user account and validates the credentials of the RADIUS server. This article describes three methods of configuring a bootstrap wireless network profile.

Introduction

Wireless clients need either domain credentials (name/password) or a certificate to perform authentication for secure wireless access. To join the domain and receive domain credentials or certificates, wireless client computers need a successful connection to the wireless network that contains the domain controllers of the domain. To access a secure wireless network and join a computer to a domain, the wireless client user must manually provide their domain user name and password. Once connected to the wireless network, the wireless client user can join the computer to the domain.

In 802.1X-authenticated wireless networks, wireless clients need to provide security credentials that are authenticated by a RADIUS server. These credentials could include a username and password (for Protected EAP [PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2]) or certificates (for EAP-Transport Layer Security [TLS]). For either PEAP-MS-CHAP v2 or EAP-TLS, the wireless client also validates a computer certificate sent by the RADIUS server during the authentication process. This is the default behavior of the Windows wireless client. This behavior can be disabled, but is not recommended in production environments.

If the RADIUS server is using computer certificates from a commercial public key infrastructure (PKI), such as VeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is already installed on the wireless client, the wireless client can validate the RADIUS server's computer certificate, regardless of whether the wireless client has joined the Active Directory domain.

If the RADIUS server is using computer certificates from a private PKI that is integrated with Active Directory (such as one that is based on Windows Server® 2003 Certificate Services), a wireless client that has not yet joined the domain does not have the root CA certificate of the RADIUS server's computer certificate and the authentication process by default will fail. After the wireless client has joined the domain, the root CA certificate of the RADIUS server's computer certificate is automatically installed.

This article describes methods that configure Windows Vista-based wireless clients with a wireless profile to perform manual PEAP-MS-CHAP v2 authentication but not validate the RADIUS server's computer certificate. After connecting to the wireless network, the wireless client computer joins the domain and receives the appropriate root CA certificate. The computer user (manually) or the IT administrator (through Group Policy) can reconfigure the wireless profile so that PEAP-MS-CHAP v2 authentication validates the RADIUS server's computer certificate and automatically uses domain credentials.

Methods for Joining a Wireless Client to a Domain

This section describes the following methods for joining a wireless client to a domain:

• IT staff joins a wireless computer to the domain and configures a Single Sign On bootstrap wireless profile

• User configures their wireless computer with a bootstrap wireless profile using an XML file and joins the domain

• User manually configures wireless computer with bootstrap wireless profile and joins the domain

IT Staff Joins Wireless Computer to the Domain and Configures a Single Sign On Bootstrap Wireless Profile

In this method, an IT administrator joins the wireless computer to the domain before distributing it to the user. When the user starts the computer, the credentials that they manually specify for the user logon are used to both establish a connection to the wireless network and log on to the domain.

The following are the steps for this method:

1. An IT administrator joins the new wireless computer to the domain (for example, through an Ethernet connection that does not require IEEE 802.1X authentication) and adds a bootstrap wireless profile to the computer with the following settings:

   • PEAP-MS-CHAP v2 authentication

     • Validate RADIUS server certificate disabled

   • Single Sign On enabled

   Single Sign On is a new feature for Windows Vista wireless clients that performs 802.1X authentication based on the network security configuration during the user logon process. For this bootstrap wireless profile, the IT administrator specifies that Single Sign On perform 802.1X authentication immediately before user logon.

2. The IT administrator distributes the new wireless computer to the user.

3. When the user starts the computer, Windows Vista prompts the user to enter their domain user account name and password. Because Single Sign On is enabled, the computer uses the domain user account credentials to first establish a connection with the wireless network and then log on to the domain.

Single Sign On is required for this bootstrap wireless profile because even though the computer is joined to the domain, the user has never logged on to the computer. If the computer does not have a network connection when the user attempts to log on for the first time, the logon will fail because the computer is unable to verify the user account credentials with a domain controller. Therefore, the network connection must be established first. Single Sign On uses the same user account credentials to establish a wireless connection and to log on to the domain. After the user has successfully logged on, subsequent user logons can utilize cached credentials.

User Configures Their Wireless Computer with a Bootstrap Wireless Profile Using an XML File and Joins the Domain

In this method, the user configures their wireless computer with a bootstrap wireless profile using an XML file and script that has been configured by an IT administrator. The bootstrap wireless profile configured by the XML file allows the user to establish a wireless connection and then join the domain.

The following are the steps for this method:

1. An IT administrator configures another Windows Vista-based wireless computer with a bootstrap wireless profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled.

2. The IT administrator extracts the bootstrap wireless profile to an XML file with the netsh wlan export profile command (see "Appendix A: Configuring a Bootstrap Wireless Profile" in this article) and creates a script file to execute that will automatically add the profile on the user's computer.

3. The IT administrator distributes the new wireless computer, the XML file containing the bootstrap wireless profile, and the script file to the user using an appropriate method. The script file contains the netsh wlan add profile XML_File_Name Connection_Name command.

   For example, the XML file can be stored on a USB flash drive with a script for the user to run to add the bootstrap wireless profile.

4. The user starts the computer and performs a logon using a local computer account.

5. The user runs the script file to add the bootstrap wireless profile.

6. After the script is run, Windows Vista attempts to connect to the wireless network. Because the settings of the bootstrap wireless profile specify that the user must provide credentials, Windows Vista prompts the user for an account name and password.

7. The user types their domain user account name and password and the Windows Vista client computer connects to the wireless network.

8. The user joins the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article.

User Manually Configures Wireless Computer With a Bootstrap Profile and Joins the Domain

In this method, the user manually configures their wireless computer with a bootstrap wireless profile based on instructions from an IT administrator. The bootstrap wireless profile allows the user to establish a wireless connection and then join the domain.

The following are the steps for this method:

1. The IT administrator distributes to the user the instructions for configuring a bootstrap wireless profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled.

2. The user starts the computer and performs a logon using a local computer account.

3. The user executes the steps in the instructions to configure the bootstrap wireless profile (see "Appendix A: Configuring a Bootstrap Wireless Profile" in this article).

4. After the bootstrap wireless profile is configured, Windows Vista attempts to connect to the wireless network. Because the settings of the bootstrap wireless profile specify that the user must provide credentials, Windows Vista prompts the user for an account name and password.

5. The user types their domain user account name and password and the Windows Vista client computer connects to the wireless network.

6. The user joins the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article.

Appendix A: Configuring a Bootstrap Wireless Profile

To configure a bootstrap wireless profile, do the following:

1. From the Connect to a network dialog box, click I don't see what I want to connect to. You can access the Connect to a network dialog box from many locations in Windows Vista, including the following:

   • From the wireless connection icon in the notification area of the desktop

   • From the Connect/disconnect wireless networks link in Control Panel-Network Connections

   • From the context menu of a wireless network adapter in Control Panel-Network Connections

2. In the Select a connection option page, click Set up a network.

3. In the Enter information for the wireless network you want to add page, configure the following:

   • Network name Type the name of the wireless network.

   • Security type Select the method used to authenticate a connection to the wireless network (WEP (802.1x), WPA-Enterprise, or WPA2-Enterprise).

   • Encryption type Select the method used to encrypt data frames sent over the wireless network (WEP, TKIP, or AES).

4. Click Next.

5. Click Change connection settings.

6. Click the Security tab and select the Protected EAP (PEAP) method under Choose a network authentication method. Click Settings.

7. In the Protected EAP (PEAP) Properties dialog box, clear the Validate server certificate check box.

8. Click OK twice, and then click Close.

To export the settings of this bootstrap wireless profile to an XML file, type the following command:

netsh wlan export profile XML_File_Name Profile_Name Connection_Name

• XML_File_Name is the name of the XML file that will store the wireless profile settings.

• Profile_Name is the name of the wireless profile being exported.

• Connection_Name is the name of the wireless adapter for which the wireless profile has been configured.

Appendix B: Joining a Windows Vista client to a Domain

After successfully connecting to the secure wireless network, use Control Panel-System to do the following:

1. Under Computer name, domain, and workgroup settings, click Change settings.

2. From the System Properties dialog box, click Change.

3. In the Computer Name Changes dialog box, type the computer name in Computer name. Click Domain and type the Active Directory domain name.

4. Click OK.

5. When prompted, type your domain name and password to join the computer to the domain.

6. Restart the computer when prompted.

When computer is restarted, it automatically authenticates to the wireless network using the computer's domain account credentials or certificate.

For More Information

For more information, consult the following resources:

• Connecting to Wireless Networks with Windows Vista

• Wireless Networking Web page