設定憑證範本 PEAP 和 EAP 需求Configure Certificate Templates for PEAP and EAP Requirements

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

所有可用的網路存取驗證延伸驗證 Protocol-Tls (EAP-TLS)、保護延伸驗證 Protocol\ 傳輸層安全性 (PEAP-TLS)、與 PEAP\ Microsoft 挑戰交換驗證通訊協定第 2 的憑證 \ (MS-CHAP v2) 必須符合的連接,請使用安全通訊端層日傳輸層級安全性 (SSL 日 TLS) 與 x.509 的需求。All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), and PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) must meet the requirements for X.509 certificates and work for connections that use Secure Socket Layer/Transport Level Security (SSL/TLS). Client 和伺服器的憑證有其他的需求。Both client and server certificates have additional requirements.

重要

本主題提供適用於設定憑證範本的指示。This topic provides instructions for configuring certificate templates. 若要使用這些指示執行,是需要您的部署 (AD CS) Active Directory 憑證服務使用您自己公用基礎結構 (PKI)。To use these instructions, it is required that you have deployed your own Public Key Infrastructure (PKI) with Active Directory Certificate Services (AD CS).

最小伺服器的憑證需求Minimum server certificate requirements

使用 PEAP-MS-CHAP v2、PEAP\ TLS 或 EAP\ TLS 的驗證方法、NPS 伺服器必須使用伺服器的憑證,以符合最低伺服器的憑證。With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the NPS server must use a server certificate that meets the minimum server certificate requirements.

您可以設定 client 電腦驗證伺服器的憑證來使用確認伺服器的憑證上或在群組原則中的選項。Client computers can be configured to validate server certificates by using the Validate server certificate option on the client computer or in Group Policy.

Client 電腦接受伺服器的驗證嘗試時伺服器的憑證符合下列需求:The client computer accepts the authentication attempt of the server when the server certificate meets the following requirements:

  • 主體名稱包含的值。The Subject name contains a value. 如果您要執行的網路原則 Server (NPS) 空白主體名稱的憑證,不提供 NPS 伺服器的驗證憑證。If you issue a certificate to your server running Network Policy Server (NPS) that has a blank Subject name, the certificate is not available to authenticate your NPS server. 若要設定憑證範本主體名稱:To configure the certificate template with a Subject name:

    1. 打開憑證範本。Open Certificate Templates.
    2. 在詳細資料窗格中,以滑鼠右鍵按一下您想要變更,然後按一下 [憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties .
    3. 按一下主體名稱索引標籤,然後按一下 [組建這個 Active Directory 資訊的Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 主體名稱的格式,選取值以外In Subject name format, select a value other than None.
  • 電腦上受信任的根憑證授權單位和並任何的失敗由 CryptoAPI 及檢查遠端存取原則的網路原則中指定的伺服器鏈結憑證。The computer certificate on the server chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.

  • 電腦 NPS 伺服器或 VPN 伺服器的憑證會設定伺服器的驗證用途延伸鍵使用量()。The computer certificate for the NPS server or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (伺服器驗證的物件識別碼是 1.3.6.1.5.5.7.3.1)。(The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.)

  • 設定伺服器的憑證其中演算法所需的值為RSAThe server certificate is configured with a required algorithm value of RSA. 若要設定所需的密碼編譯設定:To configure the required cryptography setting:

    1. 打開憑證範本。Open Certificate Templates.
    2. 在詳細資料窗格中,以滑鼠右鍵按一下您想要變更,然後按一下 [憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties.
    3. 按一下密碼編譯索引標籤。在的演算法名稱,按一下 [ RSAClick the Cryptography tab. In Algorithm name, click RSA . 確認最小金鑰大小設為2048 年Ensure that Minimum key size is set to 2048.
  • 主體替代名稱 (SubjectAltName) 擴充功能,如果您使用,必須包含 DNS 伺服器的名稱。The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server. 若要設定憑證範本註冊伺服器名稱網域名稱系統」(DNS):To configure the certificate template with the Domain Name System (DNS) name of the enrolling server:

    1. 打開憑證範本。Open Certificate Templates.
    2. 在詳細資料窗格中,以滑鼠右鍵按一下您想要變更,然後按一下 [憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties .
    3. 按一下主體名稱索引標籤,然後按一下 [組建這個 Active Directory 資訊的Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 在次要主體名稱包含這項資訊DNS 名稱In Include this information in alternate subject name, select DNS name.

使用 PEAP 和 EAP-TLS 時,NPS 伺服器電腦憑證存放區,使用下列例外顯示所有已安裝的憑證的清單:When using PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate store, with the following exceptions:

  • 不會顯示憑證,並包含伺服器驗證用途。Certificates that do not contain the Server Authentication purpose in EKU extensions are not displayed.

  • 不會顯示憑證,並包含主體名稱。Certificates that do not contain a Subject name are not displayed.

  • 登錄型並不會顯示憑證智慧卡登入。Registry-based and smart card-logon certificates are not displayed.

如需詳細資訊,請查看適用於 802.1 X 的有線和無線部署部署伺服器憑證For more information, see Deploy Server Certificates for 802.1X Wired and Wireless Deployments.

最小 client 認證需求Minimum client certificate requirements

EAP-TLS 或 PEAP-TLS,伺服器接受 client 驗證嘗試時憑證符合下列需求:With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:

  • Client 憑證是由企業 CA 發行,或在 Active Directory Domain Services (AD DS) 使用者或電腦過去對應。The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory Domain Services (AD DS).

  • 使用者或電腦 client 鏈結到加拿大信任的根憑證包含 EKU 擴充功能 Client 驗證目的 \(Client 驗證的物件識別碼是 1.3.6.1.5.5.7.3.2\),而失敗的由 CryptoAPI 和,詳列於遠端存取原則的網路原則檢查都 NPS 的網路原則中指定憑證物件識別碼檢查。The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy nor the Certificate object identifier checks that are specified in NPS network policy.

  • 不使用 802.1 X client 登錄為基礎的憑證可能是智慧卡登入或受密碼保護的憑證。The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.

  • 主旨另一種方式 (SubjectAltName) 副檔名憑證中的使用者的憑證,包含使用者主體名稱 (UPN)。For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN). 若要設定 UPN 憑證範本中:To configure the UPN in a certificate template:

    1. 打開憑證範本。Open Certificate Templates.
    2. 在詳細資料窗格中,以滑鼠右鍵按一下您想要變更,然後按一下 [憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties.
    3. 按一下主體名稱索引標籤,然後按一下 [組建這個 Active Directory 資訊的Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 在次要主體名稱包含這項資訊,請選取使用者主體名稱 (UPN)In Include this information in alternate subject name, select User principal name (UPN).
  • 適用於電腦的憑證,主題替代 (SubjectAltName) 副檔名憑證必須包含完整的網域名稱 (FQDN) 的 client,也稱為的 DNS 名稱For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the fully qualified domain name (FQDN) of the client, which is also called the DNS name. 在 [憑證範本設定此名稱:To configure this name in the certificate template:

    1. 打開憑證範本。Open Certificate Templates.
    2. 在詳細資料窗格中,以滑鼠右鍵按一下您想要變更,然後按一下 [憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties.
    3. 按一下主體名稱索引標籤,然後按一下 [組建這個 Active Directory 資訊的Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 在次要主體名稱包含這項資訊DNS 名稱In Include this information in alternate subject name, select DNS name.

與 PEAP\ TLS EAP\ TLS,戶端會顯示憑證嵌入式管理單元,使用下列例外所有已安裝的憑證清單:With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:

  • Wireless 戶端不會顯示登錄架構和憑證智慧卡登入。Wireless clients do not display registry-based and smart card-logon certificates.

  • Wireless 戶端和 VPN 戶端不會顯示受密碼保護的憑證。Wireless clients and VPN clients do not display password-protected certificates.

  • 不會顯示憑證,並包含 Client 驗證用途。Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).