Vista Domain Joining

7/31/2019 Vista Domain Joining

1/8

Abstract

Wired client computers running Microsoft Windows Vista can use a temporary wired profile to obtainconnectivity to a secure wired network and join an Active Directory directory service domain. This temporarywired profile, known as a bootstrap wired profile, requires the connecting user to manually specify their domainuser account credentials and does not validate the certificate of the Remote Authentication Dial-in User Service(RADIUS) server. After joining the domain, the wired client uses a new wired profile that automatically leverages

the credentials of the computer and user account and validates the credentials of the RADIUS server. This articledescribes two methods of configuring a bootstrap wired network profile.

Top of page

Introduction

Typical wired clients need either domain credentials (name/password) or a certificate to perform authentication forsecure wired access. To join the domain and receive domain credentials or certificates, wired client computers needa successful connection to the wired network that contains the domain controllers of the domain. To access asecure wired network and join a computer to a domain, the wired client user must manually provide their domainuser name and password. Once connected to the wired network, the wired client user can join the computer to thedomain.

In 802.1X-authenticated wired networks, wired clients need to provide security credentials that are authenticatedby a RADIUS server. These credentials could include a username and password (for Protected EAP [PEAP]-MicrosoftChallenge Handshake Authentication Protocol version 2 [MS-CHAP v2]) or certificates (for EAP-Transport LayerSecurity [TLS]). For either PEAP-MS-CHAP v2 or EAP-TLS, the wired client also validates a computer certificate sentby the RADIUS server during the authentication process. This is the default behavior of the Windows wired client.This behavior can be disabled, but is not recommended in production environments.

If the RADIUS server is using computer certificates from a commercial public key infrastructure (PKI), such asVeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is alreadyinstalled, the wired client can validate the RADIUS server's computer certificate, regardless of whether the wiredclient has joined the Active Directory domain.

If the RADIUS server is using computer certificates from a private PKI that is integrated with Active Directory (suchas one that is based on Windows Server 2003 Certificate Services), a wired client that has not yet joined thedomain does not have the root CA certificate of the RADIUS server's computer certificate and the authenticationprocess by default will fail. After the wired client has joined the domain, the root CA certificate of the RADIUSserver's computer certificate is automatically installed.

This article describes methods that configure Windows Vista-based wired clients with a wired profile to performmanual PEAP-MS-CHAP v2 authentication but not validate the RADIUS server's computer certificate. Afterconnecting to the wired network, the wired client computer joins the domain and receives the appropriate root CA

certificate. The computer user (manually) or the IT administrator (through Group Policy) can reconfigure oroverride the wired profile so that PEAP-MS-CHAP v2 authentication validates the RADIUS server's computercertificate and automatically uses domain credentials.

If the IT administrator overrides the manually-configured wired profile with Group Policy, the Group Policy-basedwired profile must be configured to perform computer authentication (the default behavior). If the computer cannotuse its account and credentials to obtain a wired connection, the user will be unable to logon to the computer withtheir domain credentials because they cannot be validated by a domain controller.

Top of page

Methods for Joining a Wired Client to a Domain

This section describes the following methods for joining a wired client to a domain:

User configures their wired computer with a bootstrap wired profile using an Extensible Markup Language(XML) file and joins the domain

User manually configures wired computer with bootstrap wired profile and joins the domainTop of page
http://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSection


2/8


3/8

4. After the bootstrap wired profile is configured, Windows Vista attempts to connect to the wired networkand prompts the user for an account name and password.

5. The user types their domain user account name and password and the Windows Vista client computerconnects to the wired network.

6. The user joins the computer to the Active Directory domain. For more information, see "Appendix B:Joining a Windows Vista client to a Domain" in this article.

Top of page

Appendix A: Configuring a Bootstrap Wired Profile

To configure a bootstrap wired profile, do the following:

1. From the Windows Vista desktop, click Start, and then click Control Panel.2. Click System and Maintenance, and then click Administrative Tools.3. Double-click Services.4. In the list of services in the contents pane, double-click Wired AutoConfig Service.5. In Startup type, click Automatic. In Service Status, click Start, and then click OK.6. Close the Services window.7. From the Windows Vista desktop, click Start, and then click Control Panel.8. Click Network and Internet, and then click NetworkCenter.9. Click Manage network connections.10. Right-click your LAN connection, click Properties, and then click the Authentication tab.11. In Choose a network authentication method, click Protected EAP (PEAP), and then click Settings.12. In the Protected EAP (PEAP) Properties dialog box, clear the Validate server certificate check box.13. Click OK twice.14. Close the Network Connections window.

To export the settings of this bootstrap wired profile to an XML file, type the following command:

netsh lan export profile Folder Connection_Name

Folderis the name of the folder that stores the XML file. You can specify an absolute or relative path, "."for the current folder, or ".." for the parent folder.

Connection_Name is the name of the wired adapter for which the wired profile has been configured.The netsh lan export profile command creates an XML file named after the specified connection. For example, tocreate an XML file containing the profile of the connection named Local Area Connection and store it in the currentfolder, you would use the following command:

netsh lan export profile . "Local Area Connection"

For this example, netsh creates a file in the current folder named "Local Area Connection.xml".

Top of page

Appendix B: Joining a Windows Vista client to a Domain
http://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727031(en-us).aspx#mainSection


4/8

After successfully connecting to the secure wired network, use Control Panel-System and Maintenance-System todo the following:

1. Under Computer name, domain, and workgroup settings, click Change settings.2. From the System Properties dialog box, click Change.3. In the Computer Name Changes dialog box, type the computer name in Computer name. Click

Domain and type the Active Directory domain name.

4. Click OK.5. When prompted, type your domain name and password to join the computer to the domain.6. Restart the computer when prompted.

When computer is restarted, it automatically authenticates to the wired network using the computer's domainaccount credentials or certificate.

WIRELESS NETWORKING

Abstract

Wireless client computers running Microsoft Windows Vista can use a temporary wireless profile to obtainconnectivity to a secure wireless network and join the Active Directory domain. This temporary wireless profile,known as a bootstrap wireless profile, requires the connecting user to manually specify their domain user accountcredentials and does not validate the certificate of the Remote Authentication Dial-in User Service (RADIUS) server.After joining the domain, the wireless client uses a new wireless profile that automatically leverages the credentialsof the computer and user account and validates the credentials of the RADIUS server. This article describes threemethods of configuring a bootstrap wireless network profile.

Top of page

Introduction

Wireless clients need either domain credentials (name/password) or a certificate to perform authentication forsecure wireless access. To join the domain and receive domain credentials or certificates, wireless client computersneed a successful connection to the wireless network that contains the domain controllers of the domain. To accessa secure wireless network and join a computer to a domain, the wireless client user must manually provide theirdomain user name and password. Once connected to the wireless network, the wireless client user can join thecomputer to the domain.

In 802.1X-authenticated wireless networks, wireless clients need to provide security credentials that areauthenticated by a RADIUS server. These credentials could include a username and password (for Protected EAP[PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2]) or certificates (for EAP-Transport Layer Security [TLS]). For either PEAP-MS-CHAP v2 or EAP-TLS, the wireless client also validates acomputer certificate sent by the RADIUS server during the authentication process. This is the default behavior of

the Windows wireless client. This behavior can be disabled, but is not recommended in production environments.

If the RADIUS server is using computer certificates from a commercial public key infrastructure (PKI), such asVeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is alreadyinstalled on the wireless client, the wireless client can validate the RADIUS server's computer certificate, regardlessof whether the wireless client has joined the Active Directory domain.

If the RADIUS server is using computer certificates from a private PKI that is integrated with Active Directory (suchas one that is based on Windows Server 2003 Certificate Services), a wireless client that has not yet joined thedomain does not have the root CA certificate of the RADIUS server's computer certificate and the authenticationprocess by default will fail. After the wireless client has joined the domain, the root CA certificate of the RADIUSserver's computer certificate is automatically installed.
http://technet.microsoft.com/hi-in/library/bb727033(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727033(en-us).aspx#mainSectionhttp://technet.microsoft.com/hi-in/library/bb727033(en-us).aspx#mainSection


5/8

This article describes methods that configure Windows Vista-based wireless clients with a wireless profile toperform manual PEAP-MS-CHAP v2 authentication but not validate the RADIUS server's computer certificate. Afterconnecting to the wireless network, the wireless client computer joins the domain and receives the appropriate rootCA certificate. The computer user (manually) or the IT administrator (through Group Policy) can reconfigure thewireless profile so that PEAP-MS-CHAP v2 authentication validates the RADIUS server's computer certificate andautomatically uses domain credentials.

Top of page

Methods for Joining a Wireless Client to a Domain

This section describes the following methods for joining a wireless client to a domain:

IT staff joins a wireless computer to the domain and configures a Single Sign On bootstrap wireless profile User configures their wireless computer with a bootstrap wireless profile using an XML file and joins the

domain

User manually configures wireless computer with bootstrap wireless profile and joins the domainIT Staff Joins Wireless Computer to the Domain and Configures a Single Sign On Bootstrap Wireless

Profile

In this method, an IT administrator joins the wireless computer to the domain before distributing it to the user.When the user starts the computer, the credentials that they manually specify for the user logon are used to bothestablish a connection to the wireless network and log on to the domain.

The following are the steps for this method:

1. An IT administrator joins the new wireless computer to the domain (for example, through an Ethernetconnection that does not require IEEE 802.1X authentication) and adds a bootstrap wireless profile to the

computer with the following settings:

PEAP-MS-CHAP v2 authentication Validate RADIUS server certificate disabled

Single Sign On enabledSingle Sign On is a new feature for Windows Vista wireless clients that performs 802.1X authentication

based on the network security configuration during the user logon process. For this bootstrap wireless

profile, the IT administrator specifies that Single Sign On perform 802.1X authentication immediately

before user logon.

2. The IT administrator distributes the new wireless computer to the user.3. When the user starts the computer, Windows Vista prompts the user to enter their domain user account

name and password. Because Single Sign On is enabled, the computer uses the domain user account

credentials to first establish a connection with the wireless network and then log on to the domain.

Single Sign On is required for this bootstrap wireless profile because even though the computer is joined to the

domain, the user has never logged on to the computer. If the computer does not have a network connection whenthe user attempts to log on for the first time, the logon will fail because the computer is unable to verify the useraccount credentials with a domain controller. Therefore, the network connection must be established first. SingleSign On uses the same user account credentials to establish a wireless connection and to log on to the domain.After the user has successfully logged on, subsequent user logons can utilize cached credentials.

User Configures Their Wireless Computer with a Bootstrap Wireless Profile Using an XML File and Joins

the Domain

In this method, the user configures their wireless computer with a bootstrap wireless profile using an XML file andscript that has been configured by an IT administrator. The bootstrap wireless profile configured by the XML fileallows the user to establish a wireless connection and then join the domain.


6/8


1. An IT administrator configures another Windows Vista-based wireless computer with a bootstrap wirelessprofile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate

disabled.

2. The IT administrator extracts the bootstrap wireless profile to an XML file with the netsh wlan exportprofile command (see "Appendix A: Configuring a Bootstrap Wireless Profile" in this article) and creates a

script file to execute that will automatically add the profile on the user's computer.

3. The IT administrator distributes the new wireless computer, the XML file containing the bootstrap wirelessprofile, and the script file to the user using an appropriate method. The script file contains the netsh

wlan add profileXML_File_Name Connection_Name command.

For example, the XML file can be stored on a USB flash drive with a script for the user to run to add the

bootstrap wireless profile.

4. The user starts the computer and performs a logon using a local computer account.5. The user runs the script file to add the bootstrap wireless profile.6. After the script is run, Windows Vista attempts to connect to the wireless network. Because the settings of

the bootstrap wireless profile specify that the user must provide credentials, Windows Vista prompts the

user for an account name and password.

7. The user types their domain user account name and password and the Windows Vista client computerconnects to the wireless network.

8. The user joins the Active Directory domain. For more information, see "Appendix B: Joining a WindowsVista client to a Domain" in this article.

User Manually Configures Wireless Computer With a Bootstrap Profile and Joins the Domain

In this method, the user manually configures their wireless computer with a bootstrap wireless profile based oninstructions from an IT administrator. The bootstrap wireless profile allows the user to establish a wirelessconnection and then join the domain.


1. The IT administrator distributes to the user the instructions for configuring a bootstrap wireless profilethat uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled.

2. The user starts the computer and performs a logon using a local computer account.3. The user executes the steps in the instructions to configure the bootstrap wireless profile (see "Appendix

A: Configuring a Bootstrap Wireless Profile" in this article).

4. After the bootstrap wireless profile is configured, Windows Vista attempts to connect to the wirelessnetwork. Because the settings of the bootstrap wireless profile specify that the user must provide

credentials, Windows Vista prompts the user for an account name and password.

5. The user types their domain user account name and password and the Windows Vista client computerconnects to the wireless network.

6. The user joins the Active Directory domain. For more information, see "Appendix B: Joining a WindowsVista client to a Domain" in this article.

Top of page


7/8


8/8

5. When prompted, type your domain name and password to join the computer to the domain.6. Restart the computer when prompted.

When computer is restarted, it automatically authenticates to the wireless network using the computer's domainaccount credentials or certificate.

Documents

Vista Domain Joining