Configuring 802.1x Network Authentication for WinPE 3.0 and ConfigMgr Deployments
The Problem
On 802.1x networks computers are unable to PXE Boot or boot into WinPE (Windows Pre-Execution Environment) and obtain and IP address in order to facilitate the imaging process. Without an authentication mechanism computers are unable to obtain and IP address, normally a domain joined machine will pass its computer certificate in order to authenticate. In WinPE which operates outside the windows installation has no access to that computer certificate and historically had no way to specify an authentication method.
Microsoft released a patch for WinPE that will enable 802.1x support but as of yet has not released any official documentation on how to accomplish this.
The Patches
WinPE 2.1: http://support.microsoft.com/kb/975483
WinPE 3.0: http://support.microsoft.com/kb/972831
Windows 7: http://support.microsoft.com/kb/976210
The Goal
Implement the necessary steps to facilitate 802.1x authentication in WinPE and through the entire imaging process. This will be used to allow an in place refresh of a users machine from Windows XP to Windows 7 even if their machine is attached to an 802.1x port. This will also allow users to initiate this process at their convenience and perform a zero touch installation without touch labor involvement. The imaging process should also be agnostic to the type of port security enabled whether it is no port security, MAC based, or 802.1x. The authentication process should also be automatic and not require user intervention.
Environment
- Systems Center Configuration Manager 2007 SP2 infrastructure in place.
- 802.1x port for testing and capable of accepting user based authentication.
- Windows 7 WIM
- Windows Automated Installation Kit 2.0
Patches
http://support.microsoft.com/kb/976210
http://support.microsoft.com/kb/972831
These steps are performed from an already imaged Windows 7 machine setup to use 802.1x authentication. Two files will be created, one to configure the local area connection to use user authentication and another to import the user credentials for use when authenticating.
1- Open Control Panel
2- Go to Network and Sharing Center
3- Select “Change Adapter Settings”
4- Right click on Local Area Connection, select properties
5- Make the selections list in the screenshots below
6- Export the profile from an administrative command prompt
a. Netsh lan export profile folder=C:\somefolder interface=”Local Area Connection”
7- Export any Root CAs selected during this process
a. These should be Certname.cer files
8- Also collect the following files from a Windows 7 system with the same architecture as the WinPE being used and place them in the same location with the certificates
a. C:\Windows\System32\Certutil.exe
b. C:\Windows\System32\en-US\Certutil.exe.mui
A second XML file is needed to provide the credentials for authentication. This will also be bound to the network adapter after the first XML file is imported.
1- Create a new blank text document and paste the contents below in that file and save it as “Wired-WinPE-UserData-PEAP-MSChapv2.xml“.
2- The username, password, and domain fields below will have to be replaced with the appropriate values being used.
--Start of File--
<?xml version="1.0"?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
<EapMethod>
<eapCommon:Type>25</eapCommon:Type>
<eapCommon:AuthorId>0</eapCommon:AuthorId>
</EapMethod>
<Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
<baseEap:Eap>
<baseEap:Type>25</baseEap:Type>
<MsPeap:EapType>
<MsPeap:RoutingIdentity>DOMAIN\USERNAME</MsPeap:RoutingIdentity>
<baseEap:Eap>
<baseEap:Type>26</baseEap:Type>
<MsChapV2:EapType>
<MsChapV2:Username>USERNAME</MsChapV2:Username>
<MsChapV2:Password>PASSWORD</MsChapV2:Password>
<MsChapV2:LogonDomain>DOMAIN</MsChapV2:LogonDomain>
</MsChapV2:EapType>
</baseEap:Eap>
</MsPeap:EapType>
</baseEap:Eap>
</Credentials>
</EapHostUserCredentials>
--End of File--
Next we will need to add the files we just created along with the 802.1x patch to our boot wim. I found the x86 boot wim easier to work with and it is suitable for x86 and x64 deployments. You can also choose to add some of these files in a separate process that will be detailed later when dealing with importing the boot wim into SCCM.
· You can retrieve the base boot.wim file from the SCCM install location under \OSD\boot\i386\boot.wim.
· You will also need the WAIK application installed to perform these steps.
· Copy the boot.wim to C:\8021x
· Create a folder called C:\mount
· Copy the files, certificates, and utilities collected in the previous steps to C:\8021x.
1. Mount the boot.wim so that we can apply the hotfix and add any needed files.
a. Run the Deployment Tools Command Prompt as administrator. This can be found under the Microsoft Windows AIK folder on the start menu.
b. Dism /mount-wim /wimfile:C:\8021x\boot.wim /index:1 /mountdir:C:\mount
2. Apply the KB972831 patch to enable 802.1x authentication capabilities.
a. Dism /image:C:\mount /add-package /packagepath:”C:\8021x\Windows6.1-KB972381-x86.cab”
b. Note that you need to use the .cab file for this process
3. Copy the Certutil utility files to their corresponding folders in the mounted image.
a. Copy Certutil.exe to C:\mount\Windows\System32
b. Copy Certutil.exe.mui to C:\mount\windows\en-US
4. Create a new folder in the mounted wim to hold the files gathered and created earlier.
a. Create folder C:\mount\8021x
b. Copy any root CA certificates gathered into C:\mount\8021x.
c. Copy the authentication profile “Local Area Connection.xml” into C:\mount\8021x.
d. Copy the credential file “Wired-WinPE-UserData-PEAP-MSChapv2.xml” into C:\mount\8021x.
e. Any additional tools needed may also be copied over at this point i.e. trace32.exe or for x64 wims trace64.exe.
5. Unmount the wim and commit the changes
a. Dism /unmount-wim /mountdir:C:\mount /commit
Note - This step may display an error but will still complete successfully but will prevent remounting the WIM until resolved.
b. The dism /get-mountedwiminfo and dism /cleanup-wim commands can help resolve any stuck wims along with a reboot.
1. Open the SCCM Admin Console and navigate to Operating System Deployment under Computer Management.
a. Right Click on Boot Images and select “Add Boot Image”
b. Provide the UNC path for the boot wim, the current patch is displayed below.
c. Provide a descriptive name and any additional information needed.
d. Click Next and Finish
e. Add the required distributions points.
In order to automate the process several scripts will need to be created and ran during the initial boot up of WinPE and again after the image is applied and Windows 7 takes over the installation process but before it is joined to the domain.
This can be done with batch or vbscript but for the purposes of this document I am using batch.
1. The Wired Autoconfig Service needs to be started to facilitate the 802.1x authentication process.
a. Net start dot3svc
2. Import the necessary Root CA certificates.
a. X:\windows\system32\certutil.exe –addstore root X:\8021x\RootCA.cer
3. Import the 802.1x user authentication profile.
a. Netsh lan add profile filename=”X:\8021x\Local Area Connection.xml” interface =”Local Area Connection”
4. Import the 802.1x user credential profile.
a. Netsh lan set eapuserdata filename=X:\8021x\Wired-WinPE-UserData-PEAP-MSCHAPv2.xml allusers=yes interface=”Local Area Connection”
Warning – Do not use any XML escape characters in your user account password. This will cause this command to fail. These are &, <, >, ‘, and “.
5. Initiate a DHCP request to obtain and IP address
a. Ipconfig /renew
b. Ipconfig /renew
i. I listed this twice as the first attempt seems to fail possibly due to authentication having not taken place yet but the second attempt successfully pulls an IP.
Sample Batch Script
--Start of File--
@ECHO OFF
net start dot3svc
x:\windows\system32\certutil.exe -addstore root X:\8021x\RootCA1.cer
x:\windows\system32\certutil.exe -addstore root X:\8021x\RootCA2.cer
netsh lan add profile filename="X:\8021x\Local Area Connection.xml" interface="Local Area Connection"
netsh lan set eapuserdata filename="X:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml" allusers=yes interface="Local Area Connection"
ipconfig /renew
ipconfig /renew
--End of File--
You will need this file to facilitate 802.1x authentication after the image is applied but before the system is joined to the domain as it cannot perform computer based authentication prior to joining the domain. This file is the same as we created for WinPE but it runs from the C:\ drive so the appropriate modifications need to be made.
Sample Batch Script
--Start of File--
@ECHO OFF
net start dot3svc
C:\windows\system32\certutil.exe -addstore root C:\windows\temp\8021x\DODRoot1.cer
C:\windows\system32\certutil.exe -addstore root C:\windows\temp\8021x\DODRoot2.cer
netsh lan add profile filename="C:\windows\temp\8021x\Local Area Connection.xml" interface="Local Area Connection"
netsh lan set eapuserdata filename="C:\windows\temp\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml" allusers=yes interface="Local Area Connection"
ipconfig /renew
ipconfig /renew
--End of File--
WinPE has several mechanisms to run custom tasks upon started including:
Startnet.cmd
TSConfig.ini
WinPEshl.ini
Unattend.xml
AutoUnattend.xml
The problem is SCCM does not honor these except for winpeshl.ini during an in place upgrade where the user initiates the task sequence from within Windows XP/Windows 7. When booting off a CD or PXE to contact a SCCM server unattend.xml placed under windows\system32 will run on start up.
Example winpeshl.ini file:
Normally this file contains only the last line in the file “%SYSTEMDRIVE%\sms\bin\x64\TsBootShell.exe” but modifying it to add commands before it will allow those to run before the task sequence starts. Also depending on which architecture your boot wim is then x64 can be replaced with i386 or you could mount and view this file from a boot wim that SCCM has created to see what the correct command would be.
This file is located and run from X:\windows\system32 in WinPE.
The final file we will need is needed for the Windows 7 Setup process to execute the script we created earlier under the “Windows 7 Startup Script” section. This is needed to allow the system to join the domain after WinPE has finished applying the image to the drive.
Sample Unattend.xml file:
--Start of File--
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Path>cmd /c C:\windows\temp\8021x\netinit2.cmd</Path>
<Order>1</Order>
<Description>802.1x Initialization</Description>
</RunSynchronousCommand>
</RunSynchronous>
</component>
</settings>
<cpi:offlineImage cpi:source="wim://ASDFSDFSDF/softwaresoftware/install%20sources/windows%207%20x64/sources/install.wim#Windows 7 ENTERPRISE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
--End of File--
If you already have an answer file built for other purposes you can just add the RunSynchronousCommand section to the specialize pass in your own file.
This file is specified in the task sequence under the “Apply Operating System” step and needs to be setup as a package in order to be selected as seen below.
Now that we have most of our files created that will be needed for this process we need to go over how SCCM handles updating boot wims behind the scenes as this effects how we can manipulate the start up and included files in the boot wim.
When any change is made to a boot wim within SCCM and an update of the distribution point is required a series of actions occur behind the scenes to inject and/or replace files in the wim with a copy SCCM uses to ensure the boot wim can process the task sequence properly. The OSDInjection.xml file controls this behavior and is located in the SCCM install directory under \bin\i386\.
This file will inject files from several different locations, the SCCM folder structure and the WAIK.
Filelist Source=WAIK
· C:\Program Files\Windows AIK\Tools\
Filelist Source=SCCM
· SCCM Install Directory\OSD\BIN\I386 or x64
Example OSDInjection.xml file.
Note – most entries were removed for this example.
<?xml version="1.0" encoding="utf-8"?>
<InjectionFiles>
<Architecture imgArch="i386">
<FileList source="WAIK">
<File name="Local Area Connection2.xml">
<LocaleNeeded>false</LocaleNeeded>
<Source>tools</Source>
<Destination>windows\system32\802.1x</Destination>
</File>
<FileList source="SCCM">
<File name="WinPEshl.ini">
<LocaleNeeded>false</LocaleNeeded>
<Source>bin\i386</Source>
<Destination>windows\system32</Destination>
</File>
</FileList>
</Architecture>
The previously created winpeshl.ini will have to be injected using this process in order for SCCM to run the 802.1x initialization script upon startup. Changing this file in the boot wim manually will not work because SCCM will overwrite it during the update distribution point process. And again SCCM will not honor other startup methods because if the task sequence is initiated by the user or automatically from within the existing OS then normal WinPE boot procedures do not apply because the task sequence is already “in progress” when the computer stages the boot wim and reboots into WinPE so it doesn’t run it’s normal startup sequence.
1. Copy a modified WinPEshl.ini file to the appropriate location for the architecture of your boot wim.
a. SCCM Install Directory\OSD\BIN\I386
b. SCCM Install Directory\OSD\BIN\I386
2. Backup the default OSDInjection.xml file located under “SCCM Install Directory\bin\I386”
3. Add an entry for the custom WinPEshl.ini file
a. Find the line <FileList source="SCCM">
b. Add an entry similar to the following for the correct architecture of your boot wim.
c.
<File name="WinPEshl.ini">
<LocaleNeeded>false</LocaleNeeded>
<Source>bin\i386</Source>
<Destination>windows\system32</Destination>
</File>
4. Locate the appropriate boot wim package under “Operating System Deployment” and right click and run update distribution points.
5. Add the new boot wim to a task sequence and test functionality.
Several other modifications are required for the task sequence to join the domain successfully and complete all steps on longer task sequences like the USMT one.
After the image is applied WinPE will no longer be booted to run the task sequence, the task sequence will instead be ran from the new OS install so we need get the necessary files from WinPE to Windows 7 and we can do that by simply created a step after the “Apply Operating System” step to copy the files from X: to C: as seen below.
The unattend file we specified in the “Apply Operating System” step does not get processed until the “Setup Windows and ConfigMgr” step and if you check out the logs under C:\windows\panther you will see that without another join domain step that it runs the 802.1x initialization script immediately after it fails to join the domain so it is necessary to modify the task sequence with a separate join domain that runs after the “Setup Windows and ConfigMgr” step.
You will also need to modify the “Apply Network Settings” step to join a workgroup instead to prevent it from trying to join the domain during the setup windows step which will save 5 minutes of it failing to join successfully.
For longer task sequences like one with additional steps for USMT it was necessary to add in steps towards the end of the task sequence to run the network initialization script again as it was observed to lose the ability to authenticate and receive an IP address after a period of time. To combat this you can just add steps similar to those below to run the script again.
The last step is to create another 802.1x profile like we did under section 3 but instead of user authentication we need it change it to computer authentication and import it as the last step so the computer switches to the proper method of authentication. Also we need to delete the 802.1x files we used since they contain information that should not remain available after the imaging process is complete.
