Where are the Files after connecting to RAS

[Ola]

Hello again,

I was able to test the VPN connection by using my other
PC on my LAN to connect. I finally connected but still is
having problem with adding more security.(EAP) I had
setup my server as a CA, and I found it on the list of
CAs when I was configuring my workstation to connect to
the VPN, but somehow I was confused as to the
configuration of the EAP. The confusion is with the Smart
Card and User certificates I do not understand that part
yet and so when I finished and tried to connect with the
icon, I got an error. Once I removed the EAP config, I
was able to connect. At least that was what I saw in the
properties. The confusing thing is after connecting, I
did not know how to get to the resources on the VPN
server.

What do I do please someone please help.

Thanks

 

[Sharoon Shetty K [MSFT]]

What is the error you get with certificates/smart card?

Certificates are kept in the "certificate store" of the machine. ("Store" as
in "storage area.") You can view the certificates (and their properties) on
the machine by opening the Microsoft Management Console (Start, Run, type
"mmc" and hit enter) and adding the certificates snap-in to the console.

There are two certificate stores on a machine -- the Current User store and
the Local Computer store. You can add both stores to the snap-in so that you
can view them from the same console (and then you can save the console for
later use). For more MMC info see
http://www.microsoft.com/windows2000/techinfo/planning/management/mmcsteps.asp

Some tips:
The server cert must be in the Local Computer cert store. Also, when you
configure the cert templates, make sure the server cert has the server
authentication purpose in Enhanced Key Usage extensions. Do not substitute
the "All" purpose for the "Server Authentication" purpose or the cert is
invalid.

If possible, use the Web enrollment tool to enroll the cert on the server.

If clients are domain members, you can auto enroll client computer
certificates (but not user certs) using Group Policy. That is a little
complicated to set up, but is much easier than manually installing certs on
all clients. Clients must have the Client Authentication purpose in EKU
extensions, not the "All" purpose.

Some resources that are recommended:
Step-by-Step Guide to Setting up a Certification Authority
http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp

Step-by-Step Guide to Advanced Certificate Management
http://www.microsoft.com/windows2000/techinfo/planning/security/advcertsteps.asp

"Network access authentication and certificates" in Windows Server 2003 IAS
or VPN Help, or on the web at
http://www.microsoft.com/resources/...resources/documentation/WindowsServ/2003/stan
dard/proddocs/en-us/sag_VPN_und15.asp.

 

[Ola]

Hello Sharoon,

I am currently not at home, but what I need to understand
is how does my remote pc negotiate or get the
certificate. I have setup my server in the house to be a
root CA. I will go view the certificates once I get home.
But since I have "created" the CA, let us assume that the
server side is okay, I also added EAP authentication on
the server side.

Now on the side of the remote PC, when I say that I am
using a smart card or a certificate, must it reference
the CA (VPN Server) as the issuer? And how does my CA
issue the certificate to "this unknown PC" if this is the
first time I am trying to connect to the VPN server?

Thanks

Ola

 

[Sharoon Shetty K [MSFT]]

There are two ways you can request for certificates from the CA.
Standalone CA
1) You can use the webpage
http:\\<ca name>\certsvr
Enterprise CA - part of a domain
1) You can use the wizard in the Certificates Snap-in.
2) You can use the webpage
http:\\<ca name>\certsvr