Remote Network Access: Health Certificates

We’re back with our series on Remote Network Access! Now, assuming that your basic SSTP RRAS Service is now online and working, we can extend the functionality of the service, by enabling the Network Access Protection (NAP) functionality.

Network access protection depends on a special certificate to be issued from your internal certificate authority (CA) to indicate to the Network Policy Server (NPS) system that the workstation is healthy and trustworthy. Unsurprisingly, this certificate is called a “health certificate,” which is issued by the CA upon the request of the Health Registration Authority. This service works in conjunction with the NPS server; clients have these certificates issued when appropriate to signal the state on the Network Access protection.

I am using a central private CA for issuing my certificates, but I do need to enable the CA to issue new health certificates.


Create Health Certificate Templates

First thing first! We need to prepare a certificate, which will be issued from our Enterprise CA infrastructure to our clients for their statement of health. We will also be restricting this template so that a computer cannot manually enroll this certificate, essentially allowing a computer to “lie” about its true health.

We will begin by connecting to our Enterprise Root CA or a Sub-Ordinate Enterprise CA and opening the Certificate Templates console, by running certtmpl.msc.

  • Once the certificate templates console appears, in the details pane, right-click Workstation Authentication and then click Duplicate Template.
  • In the Properties of New Template dialog, select the Compatibility tab and set the Certification Authority to Windows Server 2008. Then set the Certificate recipient to Windows Vista / Server 2008.
  • On the General tab, set the template display name to System Health Authentication.
  • Clear the Publish certificate in Active Directory check box.
  • On the Extensions tab, select Application Policies and click Edit.
  • In the Edit Application Policy Extensions click Add.
  • In the Add Application Policy dialog, select System Health Authentication, and then click OK.
  • Click OK in the Edit Application Policy Extensions
  • Now, on the Security tab, in the Group or User Name list, click Domain Computers, and clear the check box under Allow for the Enroll permission.
  • Click Add to open the Select Users, Computers, Service Accounts, or Groups dialog.
  • Click Object types, select Computers and click OK.
  • In the Enter the object names to select field, enter the name of your planned HRA server, and click OK.
  • Select the name or group you just added, and then select Allow permissions for Enroll and Auto-enroll.
  • On the Subject Name tab, select Supply in the request, then click OK.
  • Click OK.

 

As we are using an Enterprise-based CA we are actually required to also create a second System Health Certificate Template, this time for non-domain joined machines. This is despite the fact that when we will deploy the HRA service, we will choose to not issue health certificates for these non-domain joined systems.

Remaining in the console, we will repeat part of the process above again, this time for our second template.

  • In the details pane, right-click System Health Authentication and then click Duplicate Template.
  • In the Properties of New Template dialog, select the Compatibility tab. Set the Certification Authority to Windows Server 2003.
  • Set the Certificate recipient to Windows Vista / Server 2008.
  • On the General tab, set the Template display name to Anonymous System Health Authentication. Clear the Publish certificate in Active Directory check box.
  • On the Extensions tab, select Application Policies and click Edit.
  • In the Edit Application Policy Extensions, select Client Authentication and then click Remove. Click OK.
  • In the Edit Application Policy Extensions, click OK.
  • On the Subject Name tab, select Supply in the request, then click OK.
  • Click OK.

That completes the work necessary to create both of the templates we will require for successfully issuing health certificates.

Next, we just need to make these available for publishing from our issuing CAs. Go ahead and close the Certificate Template Console.

Publish the Health Certificate Template

We will begin by connecting to our Enterprise Root CA or a Sub-Ordinate Enterprise CA and opening the Certificate Management console, by running certsrv.msc.

This procedure will need to be repeated on each issuing CA with which we will be linking up the HRA.

Once the certificate management console is displayed, expand the tree and select the node Certificate Templates.

  • Right-click on Certificate Templates and select New. Then select Certificate Template to Issue.
  • In the Enable Certificate Templates dialog, select both System Health Authentication and Anonymous System Health Authentication.
  • Click OK.

Our new certificate templates should now be presented in the listing of templates which are available for publishing from our selected Certification Authority.

Delegate the NPS Server Permission to Issue Certificates

Staying on our Enterprise Root CA or a Sub-Ordinate Enterprise CA, we will next provide permissions to permit our HRA server to actually request the certificates we just enabled for issuance.

  • With the Certificate Management console still in focus, right-click on the name of our CA and select Properties.
  • On the Security tab, in the Group or User Name list, click Add to open the Select Users, Computers, Service Accounts, or Groups dialog.
  • Click Object types, select Computers and click OK.
  • In the Enter the object names to select field, enter the name of the NPS server, and click OK.
  • Select the name or group you just added, and then select Allow permissions for Read, Issue and Manage Certificates, Manage CA and Request Certificates.
  • Click OK.

Delegate the NPS Server Permission to Issue Certificates

Finally, we have one additional configuration change that we really should implement on the Issuing CA Server. This setting allows a request for the CA change the expiry date at the time of issue, so that it is different from that which is defined in the template. As this setting is pretty sensitive, this is one of the reasons why it is recommended that the CA  responsible for issuing your health certificates is a dedicated server for health certificates only.

This configuration setting must be defined using the CERTUTIL.exe command tool, we will need an Administrative prompt to execute this command sequence

Certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE
net stop certsvc
net start certsvc

Great, now we are all set with the certificate work!