Wireless PKI for external users

Can I use Windows 2003 PKI for non-domain users? Can I obtain a certificate
for a non-domain user through Windows 2003 PKI?
How can I connect securely externals users to my wireless network?
Thanks

Yes, you can use Windows 2003 PKI for any kind of client supporting standard
file formats. The easiest way to ship the cert to non-domain user would be
to ship PKCS #12 (.p12/.pfx) file containing private key and the cert -
enroll marking private keys exportable, install the cert and export. Note
that the external users must trust your CA.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"jaff" <jaff@discussions.microsoft.com> wrote in message
news:4066EB2E-1727-4DC8-9A0D-8D18BF5215BC@microsoft.com...
> Can I use Windows 2003 PKI for non-domain users? Can I obtain a
certificate
> for a non-domain user through Windows 2003 PKI?
> How can I connect securely externals users to my wireless network?
> Thanks

I believe that the cert. must also be associated with a valid domain account
for IAS to process the remote access policy.

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:O$1MUtVgFHA.3868@TK2MSFTNGP14.phx.gbl...
> Yes, you can use Windows 2003 PKI for any kind of client supporting
> standard
> file formats. The easiest way to ship the cert to non-domain user would be
> to ship PKCS #12 (.p12/.pfx) file containing private key and the cert -
> enroll marking private keys exportable, install the cert and export. Note
> that the external users must trust your CA.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "jaff" <jaff@discussions.microsoft.com> wrote in message
> news:4066EB2E-1727-4DC8-9A0D-8D18BF5215BC@microsoft.com...
>> Can I use Windows 2003 PKI for non-domain users? Can I obtain a
> certificate
>> for a non-domain user through Windows 2003 PKI?
>> How can I connect securely externals users to my wireless network?
>> Thanks
>
>

I think so. I don't find the way to create a certificate with Windows 2003
that isn't associate to a domain account.
So, how can I give certificates and validate these externals users?

"Mark Gamache" wrote:

> I believe that the cert. must also be associated with a valid domain account
> for IAS to process the remote access policy.
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:O$1MUtVgFHA.3868@TK2MSFTNGP14.phx.gbl...
> > Yes, you can use Windows 2003 PKI for any kind of client supporting
> > standard
> > file formats. The easiest way to ship the cert to non-domain user would be
> > to ship PKCS #12 (.p12/.pfx) file containing private key and the cert -
> > enroll marking private keys exportable, install the cert and export. Note
> > that the external users must trust your CA.
> >
> > --
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
> >
> > "jaff" <jaff@discussions.microsoft.com> wrote in message
> > news:4066EB2E-1727-4DC8-9A0D-8D18BF5215BC@microsoft.com...
> >> Can I use Windows 2003 PKI for non-domain users? Can I obtain a
> > certificate
> >> for a non-domain user through Windows 2003 PKI?
> >> How can I connect securely externals users to my wireless network?
> >> Thanks
> >
> >
>
>
>

You create accounts in the AD for them then. Is that a hiuge issue? I don't
think so.

In fact, the proiblem isn't that the certificate is associated with AD
account - you can create a user cert without such association, using a Web
form on a stand-alone CA being the easiest way - but the way IAS,
Microsoft's RADIUS implementation, handles EAP for wireless. I believe you
can use another RADIUS server to handle certificate authentication
differently. But I don't see a huge issue using AD - all controls in one
directory, which is good.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"jaff" <jaff@discussions.microsoft.com> wrote in message
news:5B06378F-5C6A-40B8-B3AA-BD96A7DAF05A@microsoft.com...
> I think so. I don't find the way to create a certificate with Windows 2003
> that isn't associate to a domain account.
> So, how can I give certificates and validate these externals users?
>
> "Mark Gamache" wrote:
>
> > I believe that the cert. must also be associated with a valid domain
account
> > for IAS to process the remote access policy.
> >
> > --
> > Mark Gamache
> > Certified Security Solutions
> > http://www.css-security.com
> >
> >
> >
> > "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> > news:O$1MUtVgFHA.3868@TK2MSFTNGP14.phx.gbl...
> > > Yes, you can use Windows 2003 PKI for any kind of client supporting
> > > standard
> > > file formats. The easiest way to ship the cert to non-domain user
would be
> > > to ship PKCS #12 (.p12/.pfx) file containing private key and the
cert -
> > > enroll marking private keys exportable, install the cert and export.
Note
> > > that the external users must trust your CA.
> > >
> > > --
> > > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > > -= F1 is the key =-
> > >
> > > "jaff" <jaff@discussions.microsoft.com> wrote in message
> > > news:4066EB2E-1727-4DC8-9A0D-8D18BF5215BC@microsoft.com...
> > >> Can I use Windows 2003 PKI for non-domain users? Can I obtain a
> > > certificate
> > >> for a non-domain user through Windows 2003 PKI?
> > >> How can I connect securely externals users to my wireless network?
> > >> Thanks
> > >
> > >
> >
> >
> >