Archive

Archive for the ‘configuration’ Category

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

January 27th, 2012 No comments

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:

1- There is a new valid Certification Authority configured

2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData

Steps:

1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.

2- Identify the AIA and CDP distribution points

  1. a. Open the Certification Authority Console
  2. b. Right click the Certification Authority name and click Properties
  3. c. Click the “Extensions” tab
  4. d. Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://<serverDNSnname>/CertEnroll/<CANAME>CRLNameSuffix><DeltaCRLAllowed>.crl which refers to local IIS installed on the server, or http://pki.contoso.com/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: Ignore the LDAP and C:\%windir% locations

  1. e. In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
  2. f.  Document the distribution points configured for the AIA extensions – as an example http://<ServerDNSName>/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt  which refers to the local IIS installed on the server or http://pki.contoso.com/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt

Note: Ignore the LDAP and C:\%windir% locations

3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)

  1. a. Open the Certification Authority Console
  2. b. Right click “Revoked Certificates”, and then click “Properties”
  3. c. Uncheck “Publish Delta CRL”
  4. d. Change the “CRL publication Interval” to 99 years and then click OK
  5. e. Open the command line with elevated privileges
  6. f.  Run Certutil –crl  to issue a new Certificate Revocation List (CRL)

4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData 

  1. a. On the old Certification Authority, navigate to %windir%\System32\CertSrv\CertEnroll
  2. b. Copy the Certification Authority’s certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

  1. a. This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6- Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil –catemplates > c:\catemplates.txt  to document all available certificate templates at the old Certification Authority
  3. c. Launch the Certification Authority console
  4. d. Navigate to “Certificate Templates”
  5. e. Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

  1. a. Highlight “Issued Certificates”
  2. b. Navigate to the right, and sort by “Certificate Templates”
  3. c. Identify the certificates issued by default certificate template types
  4. d. Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8- Dump the certificates based on the default certificate template types:

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil -view -restrict “Certificate Template=Template” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\TemplateType.txt
  3. c. Examine the output of c:\TemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
  4. d. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9- Dump the certificates based on the custom certificate template types:

  1. a. Open the Certification Authority Console
  2. b. Right click “Certificate Templates” and click “Manage”
  3. c. Double click the certificate template and click on “Extensions” tab
  4. d. Click on “Certificate Template Information”
  5. e. Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
  6. f. Open the command line with elevated privileges
  7. g. Run Certutil -view -restrict “Certificate Template=OIDNumber” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\CustomTemplateType.txt

Note: Replace OIDNumber with the number identified in step 9.e

  1. h. Examine the output of c:\CustomTemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
  2. i. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

  1. a. Logon to the new Certification Authority as an Enterprise Administrator
  2. b. Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
  3. c. Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority

  1. a. Backup the old Certification Authority using the steps outlined in Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
  2. b. Uninstall Certificate Services from the old Certification Authority
  3. c. Decommission the server unless it is running other applications

12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting http://crl.contoso.com

 

Amer F. Kamal

Senior Premier Field Engineer

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

January 27th, 2012 No comments

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:

1- There is a new valid Certification Authority configured

2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData

Steps:

1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.

2- Identify the AIA and CDP distribution points

  1. a. Open the Certification Authority Console
  2. b. Right click the Certification Authority name and click Properties
  3. c. Click the “Extensions” tab
  4. d. Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://<serverDNSnname>/CertEnroll/<CANAME>CRLNameSuffix><DeltaCRLAllowed>.crl which refers to local IIS installed on the server, or http://pki.contoso.com/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: Ignore the LDAP and C:\%windir% locations

  1. e. In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
  2. f.  Document the distribution points configured for the AIA extensions – as an example http://<ServerDNSName>/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt  which refers to the local IIS installed on the server or http://pki.contoso.com/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt

Note: Ignore the LDAP and C:\%windir% locations

3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)

  1. a. Open the Certification Authority Console
  2. b. Right click “Revoked Certificates”, and then click “Properties”
  3. c. Uncheck “Publish Delta CRL”
  4. d. Change the “CRL publication Interval” to 99 years and then click OK
  5. e. Open the command line with elevated privileges
  6. f.  Run Certutil –crl  to issue a new Certificate Revocation List (CRL)

4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData 

  1. a. On the old Certification Authority, navigate to %windir%\System32\CertSrv\CertEnroll
  2. b. Copy the Certification Authority’s certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

  1. a. This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6- Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil –catemplates > c:\catemplates.txt  to document all available certificate templates at the old Certification Authority
  3. c. Launch the Certification Authority console
  4. d. Navigate to “Certificate Templates”
  5. e. Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

  1. a. Highlight “Issued Certificates”
  2. b. Navigate to the right, and sort by “Certificate Templates”
  3. c. Identify the certificates issued by default certificate template types
  4. d. Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8- Dump the certificates based on the default certificate template types:

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil -view -restrict “Certificate Template=Template” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\TemplateType.txt
  3. c. Examine the output of c:\TemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
  4. d. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9- Dump the certificates based on the custom certificate template types:

  1. a. Open the Certification Authority Console
  2. b. Right click “Certificate Templates” and click “Manage”
  3. c. Double click the certificate template and click on “Extensions” tab
  4. d. Click on “Certificate Template Information”
  5. e. Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
  6. f. Open the command line with elevated privileges
  7. g. Run Certutil -view -restrict “Certificate Template=OIDNumber” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\CustomTemplateType.txt

Note: Replace OIDNumber with the number identified in step 9.e

  1. h. Examine the output of c:\CustomTemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
  2. i. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

  1. a. Logon to the new Certification Authority as an Enterprise Administrator
  2. b. Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
  3. c. Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority

  1. a. Backup the old Certification Authority using the steps outlined in Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
  2. b. Uninstall Certificate Services from the old Certification Authority
  3. c. Decommission the server unless it is running other applications

12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting http://crl.contoso.com

 

Amer F. Kamal

Senior Premier Field Engineer

Example of using the new NPS templates feature in Windows Server 2008 R2

February 26th, 2009 No comments

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.


Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:


1. From the Network Policy Server snap-in, open the Templates Management node.


2. In the console tree, right-click Shared Secrets, and then click New.


3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.


4. Click OK to save changes.


To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.


NPS template example


To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.


 



NAP Product Team

Example of using the new NPS templates feature in Windows Server 2008 R2

February 26th, 2009 No comments

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.


Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:


1. From the Network Policy Server snap-in, open the Templates Management node.


2. In the console tree, right-click Shared Secrets, and then click New.


3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.


4. Click OK to save changes.


To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.


NPS template example


To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.


 



NAP Product Team

Example of using the new NPS templates feature in Windows Server 2008 R2

February 26th, 2009 Comments off

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.


Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:


1. From the Network Policy Server snap-in, open the Templates Management node.


2. In the console tree, right-click Shared Secrets, and then click New.


3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.


4. Click OK to save changes.


To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.


NPS template example


To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.


 



NAP Product Team

Example of using the new NPS templates feature in Windows Server 2008 R2

February 26th, 2009 No comments

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.


Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:


1. From the Network Policy Server snap-in, open the Templates Management node.


2. In the console tree, right-click Shared Secrets, and then click New.


3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.


4. Click OK to save changes.


To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.


NPS template example


To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.


 



NAP Product Team

Example of using the new NPS templates feature in Windows Server 2008 R2

February 26th, 2009 No comments

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.


Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:


1. From the Network Policy Server snap-in, open the Templates Management node.


2. In the console tree, right-click Shared Secrets, and then click New.


3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.


4. Click OK to save changes.


To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.


NPS template example


To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.


 



NAP Product Team

Example of using the new NPS templates feature in Windows Server 2008 R2

February 26th, 2009 No comments

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.

Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:

1. From the Network Policy Server snap-in, open the Templates Management node.

2. In the console tree, right-click Shared Secrets, and then click New.

3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.

4. Click OK to save changes.

To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.

NPS template example

To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.

 

NAP Product Team

NPS templates in Windows Server 2008 R2

February 17th, 2009 Comments off

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.


You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.


Note  Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.


NPS template settings can also be easily migrated and synchronized across multiple NPS servers.


The following types of configuration elements use templates:


·         RADIUS shared secret


·         RADIUS clients


·         Remote RADIUS servers


·         IP filters


·         Health policies


·         Remediation server groups


You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.


Templates in the new NPS snap-in


For a larger version of this figure, click here.


Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.


The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.


























Template


Where it is used


RADIUS shared secret


When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates


RADIUS clients


When creating or configuring RADIUS clients


Remote RADIUS servers


When creating or configuring remote RADIUS server group members


IP filters


When configuring IP Filters settings for a network policy


Health policies


When creating or configuring health policies


Remediation server groups


When creating or configuring remediation server groups



NAP Product Team

NPS templates in Windows Server 2008 R2

February 17th, 2009 No comments

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.


You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.


Note  Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.


NPS template settings can also be easily migrated and synchronized across multiple NPS servers.


The following types of configuration elements use templates:


·         RADIUS shared secret


·         RADIUS clients


·         Remote RADIUS servers


·         IP filters


·         Health policies


·         Remediation server groups


You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.


Templates in the new NPS snap-in


For a larger version of this figure, click here.


Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.


The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.


























Template


Where it is used


RADIUS shared secret


When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates


RADIUS clients


When creating or configuring RADIUS clients


Remote RADIUS servers


When creating or configuring remote RADIUS server group members


IP filters


When configuring IP Filters settings for a network policy


Health policies


When creating or configuring health policies


Remediation server groups


When creating or configuring remediation server groups



NAP Product Team

NPS templates in Windows Server 2008 R2

February 17th, 2009 No comments

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.


You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.


Note  Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.


NPS template settings can also be easily migrated and synchronized across multiple NPS servers.


The following types of configuration elements use templates:


·         RADIUS shared secret


·         RADIUS clients


·         Remote RADIUS servers


·         IP filters


·         Health policies


·         Remediation server groups


You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.


Templates in the new NPS snap-in


For a larger version of this figure, click here.


Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.


The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.


























Template


Where it is used


RADIUS shared secret


When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates


RADIUS clients


When creating or configuring RADIUS clients


Remote RADIUS servers


When creating or configuring remote RADIUS server group members


IP filters


When configuring IP Filters settings for a network policy


Health policies


When creating or configuring health policies


Remediation server groups


When creating or configuring remediation server groups



NAP Product Team

NPS templates in Windows Server 2008 R2

February 17th, 2009 No comments

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.


You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.


Note  Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.


NPS template settings can also be easily migrated and synchronized across multiple NPS servers.


The following types of configuration elements use templates:


·         RADIUS shared secret


·         RADIUS clients


·         Remote RADIUS servers


·         IP filters


·         Health policies


·         Remediation server groups


You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.


Templates in the new NPS snap-in


For a larger version of this figure, click here.


Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.


The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.


























Template


Where it is used


RADIUS shared secret


When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates


RADIUS clients


When creating or configuring RADIUS clients


Remote RADIUS servers


When creating or configuring remote RADIUS server group members


IP filters


When configuring IP Filters settings for a network policy


Health policies


When creating or configuring health policies


Remediation server groups


When creating or configuring remediation server groups



NAP Product Team

NPS templates in Windows Server 2008 R2

February 17th, 2009 No comments

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.


You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.


Note  Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.


NPS template settings can also be easily migrated and synchronized across multiple NPS servers.


The following types of configuration elements use templates:


·         RADIUS shared secret


·         RADIUS clients


·         Remote RADIUS servers


·         IP filters


·         Health policies


·         Remediation server groups


You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.


Templates in the new NPS snap-in


For a larger version of this figure, click here.


Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.


The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.


























Template


Where it is used


RADIUS shared secret


When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates


RADIUS clients


When creating or configuring RADIUS clients


Remote RADIUS servers


When creating or configuring remote RADIUS server group members


IP filters


When configuring IP Filters settings for a network policy


Health policies


When creating or configuring health policies


Remediation server groups


When creating or configuring remediation server groups



NAP Product Team

NPS templates in Windows Server 2008 R2

February 17th, 2009 No comments

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.

You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.

Note  Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.

NPS template settings can also be easily migrated and synchronized across multiple NPS servers.

The following types of configuration elements use templates:

·         RADIUS shared secret

·         RADIUS clients

·         Remote RADIUS servers

·         IP filters

·         Health policies

·         Remediation server groups

You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.

Templates in the new NPS snap-in

For a larger version of this figure, click here.

Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.

The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.

Template

Where it is used

RADIUS shared secret

When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates

RADIUS clients

When creating or configuring RADIUS clients

Remote RADIUS servers

When creating or configuring remote RADIUS server group members

IP filters

When configuring IP Filters settings for a network policy

Health policies

When creating or configuring health policies

Remediation server groups

When creating or configuring remediation server groups

NAP Product Team

Changes to the NAP user experience in Windows 7

February 9th, 2009 No comments

Windows 7 and Windows Server 2008 R2 are now available as public betas. In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.


The following figure shows an example of how a noncompliant NAP client running Windows 7 displays its status in the Windows Action Center.


NAP notification in the new Windows 7 Action Center 


For a larger version of this figure, click here


When you click View Solution, Windows 7 displays the Network Access Protection status dialog box (also known as the Napstat UI).


 


NAP Product Team

Categories: configuration, Windows 7 Tags:

Changes to the NAP user experience in Windows 7

February 9th, 2009 No comments

Windows 7 and Windows Server 2008 R2 are now available as public betas. In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.


The following figure shows an example of how a noncompliant NAP client running Windows 7 displays its status in the Windows Action Center.


NAP notification in the new Windows 7 Action Center 


For a larger version of this figure, click here


When you click View Solution, Windows 7 displays the Network Access Protection status dialog box (also known as the Napstat UI).


 


NAP Product Team

Categories: configuration, Windows 7 Tags:

Changes to the NAP user experience in Windows 7

February 9th, 2009 No comments

Windows 7 and Windows Server 2008 R2 are now available as public betas. In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.


The following figure shows an example of how a noncompliant NAP client running Windows 7 displays its status in the Windows Action Center.


NAP notification in the new Windows 7 Action Center 


For a larger version of this figure, click here


When you click View Solution, Windows 7 displays the Network Access Protection status dialog box (also known as the Napstat UI).


 


NAP Product Team

Categories: configuration, Windows 7 Tags:

Changes to the NAP user experience in Windows 7

February 9th, 2009 Comments off

Windows 7 and Windows Server 2008 R2 are now available as public betas. In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.


The following figure shows an example of how a noncompliant NAP client running Windows 7 displays its status in the Windows Action Center.


NAP notification in the new Windows 7 Action Center 


For a larger version of this figure, click here


When you click View Solution, Windows 7 displays the Network Access Protection status dialog box (also known as the Napstat UI).


 


NAP Product Team

Categories: configuration, Windows 7 Tags:

Changes to the NAP user experience in Windows 7

February 9th, 2009 No comments

Windows 7 and Windows Server 2008 R2 are now available as public betas. In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.


The following figure shows an example of how a noncompliant NAP client running Windows 7 displays its status in the Windows Action Center.


NAP notification in the new Windows 7 Action Center 


For a larger version of this figure, click here


When you click View Solution, Windows 7 displays the Network Access Protection status dialog box (also known as the Napstat UI).


 


NAP Product Team

Categories: configuration, Windows 7 Tags:

Changes to the NAP user experience in Windows 7

February 9th, 2009 No comments

Windows 7 and Windows Server 2008 R2 are now available as public betas. In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.

The following figure shows an example of how a noncompliant NAP client running Windows 7 displays its status in the Windows Action Center.

NAP notification in the new Windows 7 Action Center 

For a larger version of this figure, click here

When you click View Solution, Windows 7 displays the Network Access Protection status dialog box (also known as the Napstat UI).

 

NAP Product Team

Categories: configuration, Windows 7 Tags: