Updates to health certificate information in the "Windows Server 2008 Networking and Network Access Protection (NAP)" book

  • Article

Hello NAP fans! Joe Davies here, also known as The Cable Guy for TechNet, reporting on some updates to the Windows Server 2008 Networking and Network Access Protection (NAP) book from Microsoft Press.

Although we made every attempt to verify the information in the book, here are some updates based on last minute product changes and for stuff that we did not catch. Future printings of this book will reflect these changes.

1. On page 642, the text for the "Creating the Certificate Template for Health Certificates" section at the bottom of the page:

For a Windows Server 2003–based NAP CA, you must manually create a System Health Authentication certificate template so that members of the IPsec exemption group can autoenroll a long-lived health certificate. For a Windows Server 2008–based NAP CA, a System Health Authentication certificate template is included.

Should be changed to the following:

For a Windows Server 2008 or Windows Server 2003–based NAP CA, you must manually create a System Health Authentication certificate template so that members of the IPsec exemption group can autoenroll a long-lived health certificate.

2. On page 643, the following block of text:

To Create a Health Certificate Template on a Windows Server 2003–based NAP CA

1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

2. In the details pane, right-click Workstation Authentication, and then click Duplicate Template. This template is used because it is already configured with the client authentication EKU.

3. On the General tab, under Template Display Name, type System Health Authentication.

4. Select the Publish Certificate In Active Directory check box.

5. Click the Extensions tab, and then click double-click Application Policies.

6. Click Add, and then click New.

7. In the New Application Policy dialog box, under Name, type System Health Authentication, and under Object Identifier, type 1.3.6.1.4.1.311.47.1.1. The Client Authentication application policy will already be present.

8. Click OK three times, and then click the Security tab. Because the WorkStation Authentication template was duplicated, this template should have two application policies: Client Authentication and System Health Authentication.

9. Click Add, type the name of your IPsec NAP exemption group (such as IPsec NAP Exemption), and then click OK.

10. On the Security tab, in the Groups Or User Names list, select the name of your IPsec NAP exemption group, and then select the Allow check box next to Autoenroll. Click OK.

For a Windows Server 2008–based NAP CA, you must ensure that the System Health Authentication certificate template has the appropriate permissions for autoenrollment in the IPsec NAP exemption group.

To Configure the Permissions on the System Health Authentication Certificate Template

1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

2. In the details pane, right-click System Health Authentication.

3. On the Security tab, click Add, type the name of your IPsec NAP exemption group, and then click OK.

4. Click the name of your IPsec NAP exemption group, select the Allow check boxes next to Enroll and Autoenroll, and then click OK.

Should be changed to the following:

To Create a Health Certificate Template on a Windows Server 2008 or Windows Server 2003-Based NAP CA

1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

2. In the details pane, right-click Workstation Authentication, and then click Duplicate Template. This template is used because it is already configured with the client authentication EKU.

3. For a Windows Server 2008-based NAP CA, click Windows Server 2008, Enterprise Edition in the Duplicate Template dialog box, and then click OK.

4. On the General tab, under Template Display Name, type System Health Authentication.

5. Select the Publish Certificate In Active Directory check box.

6. Click the Extensions tab, and then double-click Application Policies.

7. For a Windows Server 2008-based NAP CA, click Add, double-click System Health Authentication, and then click OK.

8. For a Windows Server 2003-based NAP CA, click Add, and then click New. In the New Application Policy dialog box, under Name, type System Health Authentication, and under Object Identifier, type 1.3.6.1.4.1.311.47.1.1. The Client Authentication application policy will already be present. Click OK three times.

9. Click the Security tab.

10. Click Add, type the name of your IPsec NAP exemption group (such as IPsec NAP Exemption), and then click OK.

11. On the Security tab, in the Groups Or User Names list, select the name of your IPsec NAP exemption group, and then select the Allow check box next to Enroll and Autoenroll.

12. In the Groups Or User Names list, select the Domain Computers group, and then clear the Allow check box next to Enroll so that all of the check boxes are cleared. Click OK.

Please feel free to print these updates and tape or staple them to pages 642 and 643 of your printed book so that your copy has the correct information.

Thanks!

Joe Davies