Wireless computers on a Active Directory domain

On an Active Directory domain it can be risky to implement consumer grade wireless networks, not necessarily because of the week security (since some support great authentication mechanism) but because they do not typically establish their network connection until after you disconnect from the network. In an environment where you have shared workstations or rely upon group policies for application installation, these tasks will not take place.

In this environment, the user will logon to the network using cached credentials (if they exist) before the network is established wirelessly. Password policies, or non caches credentials pose an obvious problem. If the user does logon with an old cached credential (because the password was changed on another machine) it will not be able to access network resources until you first lock and then unlock the workstation so it can refresh the local credentials to match active directory.

From a software installation standpoint, distributed through group policies, these settings will never be noticed in time. Sure, the machine policies will be updated in the background every 90 minutes, but when the computer restarted, it will try to install the software, but be unable to find the network resources.

What are the options around this… Basically, you can either fight with this process (as most people unknowingly do, and simply chalk it up to a Microsoft problem)… or you can purchase an enterprise grade wireless network card which supports boot time networking. This setting is typically an advanced or manual setting which needs to be selected. But once this is enabled, all of these wireless woes disappear.

[Edit: 05/2010 – in searching for another post I realized that I neglected to mention in this article 802.1x which not only supports boot time authentication, but machine and/or certificate based authentication. I’ll write a follow-on article to this later on, but is works great, and even many consumer grade wireless devices support this option, as do most wireless adapters.]