On 4/2/06, Davidson, Brett (Managed Services) <[EMAIL PROTECTED]> wrote: > I can set the Cisco certificate to authenticate to the W2K domain. > That's reasonably simple. > Deciding what to do about things after that gets a little interesting > but that's another topic... :-) > > The anonymous connection requirements for expired passwords I understand > but surely that's just a case of allowing access to the certificate > server on the appropriate ports? (port 80 if web-based authentication is > used, for instance)?
If an account (or its password) is expired, it cannot authenticate. That's part of the problem, and the only way to change it is to allow anonymous RPC connections. > I have read that Windows will not support port-based IPSec rules but > that won't apply in this case. I'm not sure what you mean by "port-based IPSec rules" -- it does allow for the creation of policy that states that traffic, incoming or outgoing, over a given port or set of ports, MUST be IPsec'd. > I wasn't thinking of using the Suse server as a passthrough for > webclient certificate generation; as you surmise I suspect that would be > more trouble than it's worth. There's enough written about how it's > clumsy with ISA server to put me off that. > I was considering using the Suse server as a certificate issuer in it's > own right backed by a higher-level certificate on the W2K machine. (I > don't want web users to authenticate on the domain; at least that's not > a requirement yet, and if so, that should still be possible depending on > the type of certificate issued by the W2K machine). There are two ways that you could do this -- have the webserver be a "registration authority", i.e. it accepts CSRs from clients and sends them on to the certifying authority. Or, you can have it be an issuer in its own right, which will require that it have a certificate which is authorized to be a CA (ca:true, maxDepth=[something greater than 1]) by signing its certificate with the W2K CA in a CA mode. (The idea being that anything signed by the CA is authenticated by that CA.) -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
