The “Networking and NAP” book is included in the “Windows Server 2008 Resource Kit”

MS NAP Team — Fri, 01 Aug 2008 22:52:00 GMT

Greetings NAP fans! Guest NAP team blogger Joe Davies here with a somewhat self-serving blog entry.

I just wanted to remind all of you that the Windows Server 2008 Networking and Network Access Protection (NAP) book from Microsoft Press, written by yours truly and Tony Northrup (a Microsoft MVP and highly prolific and experienced author), is now bundled in the Windows Server 2008 Resource Kit from Microsoft Press. Obviously, if you purchase the Windows Server 2008 Resource Kit, you do not also need to separately purchase the Windows Server 2008 Networking and Network Access Protection book.

You can get the Windows Server 2008 Resource Kit from the following online book sellers:

· Amazon.com

· Barnes and Noble

· Quantum Books

Although I wrote a lot of networking content for the Windows 2000 Server Resource Kit and several books for Microsoft Press, this is the first time that one of my print books has made it into a Windows Server Resource Kit (…and there was much rejoicing.)

By the way, the Networking and NAP book is not the thickest book in the Resource Kit set. The Windows Server 2008 Active Directory title is 827 pages, while the Networking and NAP book is only 817 pages. [Note to self: In the next version, add at least 11 pages with the text “This page intentionally left blank.” :> ]

Enjoy.

Joe Davies

P.S. The updates described in the July 29 NAP Team blog entry apply to the version of the Networking and NAP book included in the current Windows Server 2008 Resource Kit.

P.P.S. The Amazon.com listing for the Windows Server 2008 Resource Kit refers to NAP as “network aspect projection.” I am not sure what network aspect projection is, but it sounds pretty cool. Meanwhile, we are working with Amazon.com to get this corrected.

Updates to health certificate information in the "Windows Server 2008 Networking and Network Access Protection (NAP)" book

MS NAP Team — Tue, 29 Jul 2008 23:25:00 GMT

Hello NAP fans! Joe Davies here, also known as The Cable Guy for TechNet, reporting on some updates to the Windows Server 2008 Networking and Network Access Protection (NAP) book from Microsoft Press.

Although we made every attempt to verify the information in the book, here are some updates based on last minute product changes and for stuff that we did not catch. Future printings of this book will reflect these changes.

1. On page 642, the text for the "Creating the Certificate Template for Health Certificates" section at the bottom of the page:

For a Windows Server 2003–based NAP CA, you must manually create a System Health Authentication certificate template so that members of the IPsec exemption group can autoenroll a long-lived health certificate. For a Windows Server 2008–based NAP CA, a System Health Authentication certificate template is included.

Should be changed to the following:

For a Windows Server 2008 or Windows Server 2003–based NAP CA, you must manually create a System Health Authentication certificate template so that members of the IPsec exemption group can autoenroll a long-lived health certificate.

2. On page 643, the following block of text:

To Create a Health Certificate Template on a Windows Server 2003–based NAP CA

1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

2. In the details pane, right-click Workstation Authentication, and then click Duplicate Template. This template is used because it is already configured with the client authentication EKU.

3. On the General tab, under Template Display Name, type System Health Authentication.

4. Select the Publish Certificate In Active Directory check box.

5. Click the Extensions tab, and then click double-click Application Policies.

6. Click Add, and then click New.

7. In the New Application Policy dialog box, under Name, type System Health Authentication, and under Object Identifier, type 1.3.6.1.4.1.311.47.1.1. The Client Authentication application policy will already be present.

8. Click OK three times, and then click the Security tab. Because the WorkStation Authentication template was duplicated, this template should have two application policies: Client Authentication and System Health Authentication.

9. Click Add, type the name of your IPsec NAP exemption group (such as IPsec NAP Exemption), and then click OK.

10. On the Security tab, in the Groups Or User Names list, select the name of your IPsec NAP exemption group, and then select the Allow check box next to Autoenroll. Click OK.

For a Windows Server 2008–based NAP CA, you must ensure that the System Health Authentication certificate template has the appropriate permissions for autoenrollment in the IPsec NAP exemption group.

To Configure the Permissions on the System Health Authentication Certificate Template

1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

2. In the details pane, right-click System Health Authentication.

3. On the Security tab, click Add, type the name of your IPsec NAP exemption group, and then click OK.

4. Click the name of your IPsec NAP exemption group, select the Allow check boxes next to Enroll and Autoenroll, and then click OK.

Should be changed to the following:

To Create a Health Certificate Template on a Windows Server 2008 or Windows Server 2003-Based NAP CA

1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

2. In the details pane, right-click Workstation Authentication, and then click Duplicate Template. This template is used because it is already configured with the client authentication EKU.

3. For a Windows Server 2008-based NAP CA, click Windows Server 2008, Enterprise Edition in the Duplicate Template dialog box, and then click OK.

4. On the General tab, under Template Display Name, type System Health Authentication.

5. Select the Publish Certificate In Active Directory check box.

6. Click the Extensions tab, and then double-click Application Policies.

7. For a Windows Server 2008-based NAP CA, click Add, double-click System Health Authentication, and then click OK.

8. For a Windows Server 2003-based NAP CA, click Add, and then click New. In the New Application Policy dialog box, under Name, type System Health Authentication, and under Object Identifier, type 1.3.6.1.4.1.311.47.1.1. The Client Authentication application policy will already be present. Click OK three times.

9. Click the Security tab.

10. Click Add, type the name of your IPsec NAP exemption group (such as IPsec NAP Exemption), and then click OK.

11. On the Security tab, in the Groups Or User Names list, select the name of your IPsec NAP exemption group, and then select the Allow check box next to Enroll and Autoenroll.

12. In the Groups Or User Names list, select the Domain Computers group, and then clear the Allow check box next to Enroll so that all of the check boxes are cleared. Click OK.

Please feel free to print these updates and tape or staple them to pages 642 and 643 of your printed book so that your copy has the correct information.

Thanks!

Joe Davies

Network Access Protection (NAP) : NAP_book

The “Networking and NAP” book is included in the “Windows Server 2008 Resource Kit”

Updates to health certificate information in the "Windows Server 2008 Networking and Network Access Protection (NAP)" book