IAS + user smartcard + workstation certificate domibik[ at ]gmail.com 06.07.2007 13:48:58 Hi ! I want wireless clients use PKI and IAS to get to network. My idea is workstation is verified via workstation-certificate before user use his smartcard (authentication via user certificate on his card). I know I can use workstation-certificate OR user-smartcard option. Is this possible to set it together as a access-sequence ? Thanks in advance Dominik

Re: IAS + user smartcard + workstation certificate Brian Komar <bkomarr[ at ]identit.nospam.ca> 06.07.2007 16:02:48 On Fri, 06 Jul 2007 13:48:58 -0000, domibik[ at ]gmail.com wrote: [Quoted Text] > Hi ! > > I want wireless clients use PKI and IAS to get to network. > > My idea is workstation is verified via workstation-certificate before > user use his smartcard (authentication via user certificate on his > card). > > I know I can use workstation-certificate OR user-smartcard option. > > Is this possible to set it together as a access-sequence ? > > Thanks in advance > > Dominik This is a very commonly deployed model. The workstation authenticates (allowing processing of GPO/scripts) and then the user is authenticated at logon time, to allow continued connectivity. Brian

Re: IAS + user smartcard + workstation certificate "S. Pidgorny <MVP>" <slavickp[ at ]yahoo.com> 07.07.2007 01:48:51 Just wanted to add quickly: even when dual authentication is enabled, it is virtually impossible to _require_ both computer and user authentication, because server infrastructure considers computer and used authentication request separate and independent. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * "Brian Komar" <bkomarr[ at ]identit.nospam.ca> wrote in message news:zglnzwoc4j91.154v6mhxgsjrn$.dlg[ at ]40tude.net... [Quoted Text] > On Fri, 06 Jul 2007 13:48:58 -0000, domibik[ at ]gmail.com wrote: > >> Hi ! >> >> I want wireless clients use PKI and IAS to get to network. >> >> My idea is workstation is verified via workstation-certificate before >> user use his smartcard (authentication via user certificate on his >> card). >> >> I know I can use workstation-certificate OR user-smartcard option. >> >> Is this possible to set it together as a access-sequence ? >> >> Thanks in advance >> >> Dominik > > This is a very commonly deployed model. The workstation authenticates > (allowing processing of GPO/scripts) and then the user is authenticated at > logon time, to allow continued connectivity. > Brian

Re: IAS + user smartcard + workstation certificate domibik[ at ]gmail.com 09.07.2007 12:32:17 Hi ! But I can't find how to set it. In network connection properties (in wireless card) - there is option to use smart-card OR certificate. I can't set both at the same time. When I choose SmartCard - workstation certificate is not required (I can remove it from my CertStore on workstation). But when I use option certificate stored on Computer then I must have workstation certificate in local Store and I don't need smartcard. I want to force that workstations must have their cetificates on local stores and users must have their smartcards with PIN to get to network -- Dominik Weglarz