|
Posted by =?Utf-8?B?TXIuQg==?= on December 9, 2007, 2:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I have auto enrollment for computer template. Server is 2003 Standard CA is
Subordinate Enterprise.
"Brian Komar" wrote:
> Actually
> The computer account is authenticating to the domain. *You* have decided to
> export a private key and import it on a non-trusted host (based on the tone
> of your response).
> It is not a security breach if *you* decide to put the private key on the
> offending host.
> Now, you see why the key is non-exportable
> Brian
>
> > Interested.
> > I have set up 802.1x. I will test it tomorrow. SO i can excepted that
> > computer will be authenticated with 802.1x. So computer get in to private
> > network, but it does not authenticate to domain. But that is security
> > birch.
> > Problem is that I use v1 computer template, and I don’t now, how to make
> > automotive request, with option, do not export private can, or make it
> > exportable….
> >
> >
> > "Alun Jones" wrote:
> >
> >> > By default, if i set up auto enrollment for computer certificate, i can
> >> > from
> >> > computer export private key.
> >> > What would happened, if i import these key to different computer.
> >> > If I use different computer and i tried to authenticate, to IAS, would
> >> > it
> >> > exempted as valid ?
> >>
> >> Cryptography assumes that if you have the private key, you are the
> >> individual or computer identified as associated with that key.
> >>
> >> However, the recipient of a signed key exchange (in this case, IAS) might
> >> note that your computer is trying to authenticate as a computer name
> >> other
> >> than that with which it passed NTLM authentication. In such a case, it
> >> would
> >> almost certainly fail the authentication.
> >>
> >> Alun.
> >> ~~~~
> >>
> >>
> >>
>
| 
XML site map