Network Access Protection, Revisited (Part 7)

by [Published on 27 Nov. 2008 / Last Updated on 27 Nov. 2008]

This article continues the series on configuring Network Access Protection by examining the process for requesting a computer certificate and associating it with the VPN server.

If you would like to read other parts to the article series please read:

In the previous article in this series, we did some work on the Network Policy Server. Unfortunately, we are not quite done with the configuration process. Our Windows Vista clients are eventually going to authenticate into our VPN server using the Protected EAP (PEAP) protocol. Before we can use PEAP we have to associate a computer certificate with the VPN server. Fortunately, we have already created an enterprise certificate authority that we can use for that purpose. In this article, I will show you how to request the necessary certificate, and how to associate that certificate with the VPN server.

Requesting a Certificate

We are using Protected EAP (PEAP) as the server side authentication mechanism. In order to make that happen, we need to acquire a computer certificate from the certificate authority that we created earlier in the series. To do so, enter the MMC command at the Run prompt. When the Microsoft Management Console opens, select the Add / Remove Snap-in command from the File menu. Next, choose the Certificates option from the list of snap-ins, and click the Add button followed by the Finish button.

The console will now display the Certificate Templates snap-in. Expand the Certificate Templates container (It takes a few minutes to expand), and then locate the Computer template in the Details pane. Right click on the Computer template, and then choose the Duplicate Template command from the shortcut menu.

Windows will now ask you if you want to create a Windows Server 2003 or a Windows Server 2008 certificate. Choose the Windows Server 2008 option, and click OK. At this point, Windows will display the Properties of New Template dialog box.

The first thing that you will have to do is to enter a name for the new template. You can call the template anything that you want, so long as it is something meaningful to you. For the purposes of this article, I am going to call this certificate template VPN. Now, set the validity period for the template, and then select the Publish Certificate in Active Directory check box and the Allow Private key to be Exported Check box.

Now, go to the Request Handling tab, and make sure that the Purpose option is set to Signature and Encryption. You should also select the Add Read Permissions to Network Service check box. Finally, go to the Security tab, and click the Add button. When Windows displays the Select Users, Computers, or Groups dialog box, make sure that the From this Location field lists the name of your domain. Enter the word Administrators into the Enter the Object Names to Select field, and click the Check Names button. Assuming that Windows is able to resolve the Domain Administrators group, click OK. Finally, add the Allow Full Control option to the Administrators group, and click OK.

Now, close the Certificate Templates console, and then choose the Certification Authority command from the server’s Administrative Tools menu. When you do, Windows will open the Certification Authority console. At this point, you must expand the container that matches the name of your server, and locate the Certificate Template container beneath it.

Right click on the Certificate Template container, and then choose the New | Certificate Template to Issue command from the resulting shortcut menu. When you do, Windows will display the Enable Certificate Templates. Scroll through the list of available templates until you locate the template that you have created. Select the template, and click OK.

You should now be able to associate the certificate template with the server. To accomplish this, enter the MMC command at the Run prompt. When the Microsoft Management Console opens, choose the Add / Remove Snap-ins command from the File menu. When Windows displays the list of available snap-ins, pick the Certificates snap-in from the list, and click the Add button.

Right now, Windows will ask you if you want to manage the certificates for your user account, a service account, or a computer account. It is very important that you choose the Computer Account option. Click Next, followed by Finish and OK, and Windows will display the Certificates console.

The last part of the process involves expanding the Certificates (Local Computer) container to reveal the containers beneath it. Now, right click on the Personal container, and choose the All Tasks | Request New Certificate command from the shortcut menu. This will cause Windows to launch the Certificate Enrollment Wizard.

Click Next to bypass the Wizard’s Welcome screen and you will see a screen that displays the various templates that are available for enrollment. Select the check box that corresponds to the template that you have just created, and then click the Enroll button. The enrollment process can take a couple of minutes to complete. When the enrolment completes, click the Finish button. You can now close the Certificates console.

Now that we have associated a certificate with our server, we have to configure our connection request policy to use it. To do so, open the Network Policy Server console, and navigate through the console tree to NPS (Local) } Policies | Connection Request Policies. When you do, the details pane should display a list of connection request policies that reside on the server. You should have a policy named NAP VPN or something similar that you configured earlier in this article series.

Right click on the NAP VPN connection request policy, and choose the Properties command from the resulting shortcut menu. When you do Windows will display the NAP VPN Properties sheet. Go to the properties sheet’s Settings tab, and click on the Authentication Methods option. You should now see Microsoft: Protected EAP (PEAP) listed in the EAP Types list, as shown in Figure A. If you do not see a listing for Microsoft: Protected EAP (PEAP), then click the Add button to add it.

Figure A: Microsoft Protected EAP should be listed in the EAP Types list

Now, select the listing for Microsoft Protected EAP (PEAP), and click the Edit button. Verify that the certificate that you requested earlier is selected. You should also verify that the Enable Fast Reconnects check box and the Enable Quarantine Checks check boxes are selected. The EAP Types field at the bottom of the screen should be set to Secure Password (EAP MSCHAP V2). If it isn’t, then click the Add button and add it. When you have finished, click OK. Click OK one more time to complete this process.


In this article, I have shown you how to request a computer certificate, and how to associate that certificate with your VPN server. In the next article in the series, I will continue the discussion by walking you through some more of the configuration process.

If you would like to read other parts to the article series please read:

See Also

The Author — Brien M. Posey

Brien M. Posey avatar

Brien Posey is an MCSE and has won the Microsoft MVP award for the last few years. Brien has written well over 4,000 technical articles and written or contributed material to 27 books.


Featured Links