Network access authentication and certificates
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Network access authentication and certificates
This topic contains the following sections:
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services
Overview
Certificates are used for network access authentication because they provide strong security for authenticating users and computers and eliminate the need for less secure password-based authentication methods. This topic describes how Internet Authentication Service (IAS) and virtual private network (VPN) servers use Extensible Authentication protocol-Transport Level Security (EAP-TLS), protected Extensible Authentication protocol (PEAP), or Internet protocol security (IPSec) to perform certificate-based authentication for many types of network access, including VPN and wireless connections. Additionally, this topic describes certificate enrollment methods to help you determine the best certificate enrollment method for your use.
When discussing authentication, a server is defined as a VPN or IAS server that is a TLS end point. You can configure VPN servers to perform network access authentication without IAS, or you can use IAS for authentication when you have multiple Remote Access Dial-In User Service (RADIUS) clients (such as VPN servers and wireless access points) on your network.
Two authentication methods use certificates: Extensible Authentication protocol-Transport Level Security (EAP-TLS) and protected Extensible Authentication protocol (PEAP). Both methods always use certificates for server authentication. Depending on the authentication type configured with the authentication method, certificates might be used for user authentication and client authentication. For more information, see EAP and PEAP.
The use of certificates for authentication of VPN connections is the strongest form of authentication available with the Windows Server 2003 family. You must use certificate-based authentication for VPN connections based on Layer Two Tunneling protocol over Internet protocol security (L2TP/IPSec). Point-To-Point Tunneling protocol (PPTP) connections do not require certificates, although you can configure PPTP connections to use certificates for computer authentication when you use EAP-TLS as the authentication method. For wireless clients (computing devices with wireless network adapters, such as your portable computer or personal digital assistant), PEAP with EAP-TLS and smart cards or certificates is the recommended authentication method. For more information, see Layer Two Tunneling Protocol, Point-to-Point Tunneling Protocol, and Wireless Networking.
Notes
During authentication attempts for PPTP connections, computer authentication does not occur. When EAP-TLS is used as the authentication method with PPTP connections, user authentication is performed with a certificate from the certificate store on the local computer or from a smart card.
On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.
You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.
In order to deploy certificates to users and computers, you must first do the following:
Design a public key infrastructure (PKI).
Deploy a certification authority (CA) using Certificate Services.
Design and publish one or more certificates using Certificate Templates, which is installed with Certificate Services.
Select one or more distribution methods (also known as certificate enrollment methods) to install the certificates on computers and distribute them to users.
Notes
This topic assumes that you have designed and deployed a PKI according to the guidelines provided in Certificate Services Best practices. For more information, see Public Key Infrastructure.
PEAP is not supported for VPN or dial-up connections.
Example certificate deployments
Remote access VPN connections
L2TP/IPSec or PPTP connections between VPN server and VPN client with EAP-TLS used as the authentication method. IPSec uses computer certificates between the client and the server for authentication, and EAP-TLS uses a certificate (from a smart card or the user's local certificate store) for user authentication. The IAS or VPN server certificate must contain the server Authentication purpose, and the client computer or user certificate must contain the Client Authentication purpose in the Enhanced Key Usage (EKU) extensions of the certificate.
For more information, see L2TP-based remote access VPN deployment and PPTP-based remote access VPN deployment.
Router-to-router VPN connections
L2TP/IPSec connections for dedicated or dial-on-demand connections between servers with EAP-TLS as the authentication method. Both servers must have certificates that contain the server Authentication and Client Authentication purposes in EKU extensions.
For more information, see Deploying Router-to-Router VPNs.
IEEE 802.1X wireless or switch clients
PEAP-EAP-MS-CHAPv2 is configured as the authentication method, and the Validate server certificate option is enabled on the client computers. The IAS server certificate EKU extensions contain the server Authentication purpose, and the certificate is used to identify the server to the client. User authentication is accomplished with user name and password.
For more information, see Enable smart card or other certificate authentication and Configuring wireless network settings on client computers.
IEEE 802.1X wireless or switch clients
L2TP/IPSec is used, and EAP-TLS with certificates is configured as the authentication method. The IAS server certificate contains the server Authentication purpose in EKU extensions to identify itself to the client, and the client uses a certificate (from a smart card or the user's local certificate store) to identify itself to the IAS server. (The wireless access points are configured as RADIUS clients on the IAS server, which is the EAP authenticator.)
Note
- User authentication and network access authorization are performed by either the VPN server or a RADIUS server, such as Internet Authentication Service (IAS), as configured on the VPN gateway. For more information, see Use RADIUS authentication.
Certificate requirements for EAP
When you use EAP with a strong EAP type (such as TLS with smart cards or certificates), both the client and the server use certificates to verify their identities to each other. Certificates must meet specific requirements in order to allow the server and the client to use them for successful authentication.
One such requirement is that the certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. For example, a certificate used for the authentication of a client to a server must be configured with the Client Authentication purpose. Similarly, a certificate used for the authentication of a server must be configured with the server Authentication purpose. When certificates are used for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2.
Certificate Templates allow customization of the certificates issued by Certificate Services, including both how certificates are issued and what they contain, including their purposes. In Certificate Templates, you can use a default template, such as the Computer template, to define the template that the CA uses to assign certificates to computers. You can also create a certificate template and assign purposes in EKU extensions to the certificate. By default, the Computer template includes the Client Authentication purpose and the server Authentication purpose in EKU extensions.
The certificate template that you create can include any purpose for which the certificate will be used. For example, if you use smart cards for authentication, you can include the Smart Card Logon purpose in addition to the Client Authentication purpose.
When using IAS, you can configure IAS to check certificate purposes before granting network authorization. IAS can check additional EKUs and Issuance Policy purposes (also known as Certificate Policies).
Some non-Microsoft CA software might contain a purpose named All, which represents all possible purposes. This is indicated by a blank (or null) EKU extension. Although All means all possible purposes, the All purpose cannot be substituted for the Client Authentication purpose, the server authentication purpose, or any other purpose related to network access authentication.
For more information, see Certificate Templates and Manage Certificate Templates for an Enterprise Certification Authority.
You can view certificates and their purposes by using the Certificates console to open the certificate store. Certificate stores can be viewed in Logical Store mode or in Purpose mode. For information about how to view certificate purposes, see Display certificate stores in Purpose mode.
Minimum certificate requirements
All certificates that are used for network access authentication must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer-Transport Level Security (SSL/TLS). After this minimum requirement is met, both client and server certificates have additional requirements.
Client certificate requirements
With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN). To configure the UPN name in a certificate template:
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Include this information in alternate subject name, select User principal name (UPN).
- For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name. To configure this name in the certificate template:
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Include this information in alternate subject name, select DNS name.
With PEAP-EAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:
Wireless clients do not display registry-based and smart card-logon certificates.
Wireless clients and VPN clients do not display password-protected certificates.
Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed.
Server certificate requirements
Clients can be configured to validate server certificates by using the Validate server certificate option. With PEAP-EAP-MS-CHAPv2, PEAP-EAP-TLS, or EAP-TLS as the authentication method, the client accepts the server's authentication attempt when the certificate meets the following requirements:
- The Subject name contains a value. If you issue a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To configure the certificate template with a Subject name:
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Subject name format, select a value other than None.
The computer certificate on the server chains to a trusted root CA and does not fail any of the checks that are performed by CryptoAPI and specified in the remote access policy.
The IAS or VPN server computer certificate is configured with the server Authentication purpose in EKU extensions (the object identifier for server Authentication is 1.3.6.1.5.5.7.3.1).
The server certificate is configured with a required cryptographic service provider (CSP) value of Microsoft RSA SChannel Cryptographic provider. To configure the required CSP:
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click properties.
Click the Request Handling tab, and then click CSPs.
In CSP Selection, select Requests must use one of the following CSPs.
In CSPs, select the Microsoft RSA SChannel Cryptographic provider checkbox. Clear all other checkboxes in CSPs.
- The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server. To configure the certificate template with the DNS name of the enrolling server:
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Include this information in alternate subject name, select DNS name.
With PEAP and EAP-TLS, servers display a list of all installed certificates in the computer's certificate store, with the following exceptions:
Certificates that do not contain the server Authentication purpose in EKU extensions are not displayed.
Certificates that do not contain a Subject name are not displayed.
Servers do not display registry-based and smart card-logon certificates.
Note
- You can designate which certificate is used by the IAS or VPN server in the remote access policy profile. When you configure EAP and PEAP authentication methods that require a certificate for server authentication and you do not select a specific certificate in the Smart Card or other Certificate properties dialog box, the IAS or VPN server automatically selects a certificate from the computer certificate store. If the server obtains a newer certificate, it uses the new certificate. This might cause the IAS or VPN server to use a certificate that is not correctly configured for authentication, causing authentication to fail as the result. To prevent this, always select a server certificate when configuring PEAP and EAP authentication methods that require one. For more information, see Configure PEAP and EAP methods.
Computer authentication by IPSec
Computer authentication is first performed during L2TP/IPSec connection attempts between remote access client and server. When a secure channel is established between the client and the server, the user authentication and authorization attempt proceeds.
Computer authentication by IPSec is performed using preshared keys or computer certificates. The recommended method of authentication is the use of a PKI and certificates. If certificates are used, a computer certificate is required to establish IPSec trust during the Internet Key Exchange (IKE) negotiation in L2TP/IPSec-based VPN connections.
In order for a VPN server running Windows Server 2003 and a VPN client running Windows 2000 or Windows XP to establish trust for an L2TP/IPSec VPN connection, both computers must have a computer certificate that was issued by the same trusted enterprise root CA. When both computers have and exchange certificates that were issued by the trusted root CA during IPSec negotiation, they extend trust to each other, and the security association is made.
How VPN servers use certificates
When an L2TP/IPSec VPN connection is attempted between VPN client and server, computer authentication fails if the VPN client certificate (from a smart card or the certificate store on the local computer) is not configured with the Client Authentication purpose in EKU extensions, and the VPN server certificate is not configured with the server Authentication purpose in EKU extensions. IPSec checks the EKU extensions for the client certificate to determine whether the Client Authentication purpose object identifier is present. When the EKU extension includes the Client Authentication purpose object identifier, IPSec can use the certificate for authentication. Similarly, the client checks the VPN server certificate for the server Authentication purpose object identifier in EKU extensions.
Although VPN servers that end connections for remote users need a certificate configured with the server Authentication purpose in EKU extensions only, a VPN servers that is used as an end point for a VPN connection with another VPN server originates (as a client) and ends (as a server) VPN connections. For this reason, the certificate on these servers must contain both the server Authentication purpose and the Client Authentication purpose in EKU extensions. In addition, due to the way in which automatic certificate selection functions, both purposes (server Authentication and Client Authentication) must be contained in the same certificate.
Automatic certificate selection can provide IPSec with any certificate in the certificate store that chains to the trusted enterprise root CA, regardless of the purposes contained in the certificate. If two certificates are installed on the server--one that contains the Client Authentication purpose and one that contains the server Authentication purpose--it is possible that automatic certificate selection could use the wrong certificate for authentication. For example, the certificate with the Client Authentication purpose might be required, but the certificate provided through automatic certificate selection contains the server Authentication purpose. In this and similar instances, computer authentication fails.
Certificate-based authentication and wireless clients
IEEE 802.1X authentication provides authenticated access to 802.11 wireless networks and to wired Ethernet networks. 802.1X provides support for secure EAP types, such as TLS with smart cards or certificates. You can configure 802.1X with EAP-TLS in a variety of ways. If the Validate server certificate option is configured on the Windows XP Professional client, the client authenticates the server by using its certificate. Client computer and user authentication can be accomplished using certificates from the client certificate store or a smart card, providing mutual authentication.
With wireless clients, PEAP-EAP-MS-CHAPv2 can be used as the authentication method. PEAP-EAP-MS-CHAPv2 is a password-based user authentication method that uses TLS with server certificates. During PEAP-EAP-MS-CHAPv2 authentication, the IAS or RADIUS server supplies a certificate to validate its identity to the client (if the Validate server certificate option is configured on the Windows XP Professional client). Client computer and user authentication is accomplished with passwords, which eliminates some of the difficulty of deploying certificates to wireless client computers.
802.1X wireless and switch clients can also use PEAP-EAP-TLS, which provides strong security. PEAP-EAP-TLS uses a public key infrastructure (PKI) with certificates used for server authentication and either smart cards or certificates for client computer and user authentication. For more information, see PEAP.
For more information about 802.1X authentication, see Understanding 802.1X authentication for wireless networks.
Certificate enrollment methods and domain membership
The domain membership of computers for which you want to enroll certificates affects the certificate enrollment method that you can choose. Certificates for domain member computers can be enrolled automatically (also known as auto-enrollment), while an administrator must enroll certificates for non-domain member computers using the Web or a floppy disk. The certificate enrollment method for non-domain member computers is known as a trust bootstrap process, through which certificates are created and then manually requested or distributed securely by administrators, to build common trust.
Domain member certificate enrollment
If your VPN server, IAS server, or client running Windows 2000 or Windows XP is a member of a domain running Windows Server 2003 and Active Directory, you can configure the auto-enrollment of computer and user certificates. After auto-enrollment is configured and enabled, all domain member computers receive computer certificates when Group Policy is refreshed next, whether the refresh is triggered manually with the gpupdate command, or by logging on to the domain.
If your computer is a member of a domain where Active Directory is not installed, you can install computer certificates manually by requesting them through Certificates.
For more information, see Computer certificates for L2TP/IPSec VPN connections.
Note
- Computers running Windows 2000 can auto-enroll computer certificates only.
Non-domain member certificate enrollment
Certificate enrollment for computers that are not domain members cannot be done with auto-enrollment. When a computer is joined to a domain, a trust is established that allows auto-enrollment to occur without administrator intervention. When a computer is not joined to a domain, trust is not established and a certificate is not issued. Trust must be established using one of the following methods:
An administrator (who is, by definition, trusted) must request a computer or user certificate using the CA Web enrollment tool.
An administrator must save a computer or user certificate to a floppy disk and install it on the non-domain member computer. Or, when the computer is not accessible to the administrator (for example, a home computer connecting to an organization network with an L2TP/IPSec VPN connection), a domain user whom the administrator trusts can install the certificate.
An administrator can distribute a user certificate on a smart card (computer certificates are not distributed on smart cards).
Many network infrastructures contain VPN and IAS servers that are not domain members. For example, a VPN server in a perimeter network might not be a domain member for security purposes. In this case, a computer certificate with the server Authentication purpose contained in the EKU extensions must be installed on the non-domain member VPN server before it can successfully negotiate L2TP/IPSec-based VPN connections with clients. Note that if the non-domain member VPN server is used as an end point for a VPN connection with another VPN server, EKU extensions must contain both the server Authentication and Client Authentication purposes.
Choosing a certificate enrollment method
If you are running an enterprise certification authority (CA) on a computer running Windows Server 2003, Standard Edition, you can use the following table to determine the best certificate enrollment method for your requirements:
Object and domain membership | Certificate template | Certificate purposes | Preferred certificate enrollment method | Alternate certificate enrollment method |
---|---|---|---|---|
VPN or IAS server, domain member |
Computer |
Server Authentication |
Auto-enrollment |
Request a certificate with the Certificates snap-in |
VPN server with site-to-site connection, domain member |
Computer |
Server Authentication and Client Authentication |
Auto-enrollment |
Request a certificate with the Certificates snap-in |
Windows XP client, domain member |
Computer |
Client Authentication |
Auto-enrollment |
Request a certificate with the Certificates snap-in |
VPN or IAS server, non-domain member |
Computer |
Server Authentication |
CA Web enrollment tool |
Install from a floppy disk |
VPN server with site-to-site connection, non-domain member |
Computer |
Server Authentication and Client Authentication |
CA Web enrollment tool |
Install from a floppy disk |
Windows XP client, non-domain member |
Computer |
Client Authentication |
CA Web enrollment tool |
Install from a floppy disk |
User, domain user |
User |
Client Authentication |
Auto-enrollment |
Use a smart card or the CA Web enrollment tool |
If your certification authority is on a computer running one of the following operating systems, the RAS and IAS servers and Workstation Authentication templates are available for use:
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
Windows Server 2003, Enterprise Edition for Itanium-based Systems
Windows Server 2003, Datacenter Edition for Itanium-based Systems
Windows Server 2003, Enterprise x64 Edition
Windows Server 2003, Datacenter x64 Edition
Use the following table to determine when to use these templates.
Object and domain membership | Certificate template | Certificate purpose | Preferred certificate enrollment method | Alternate certificate enrollment method |
---|---|---|---|---|
VPN or IAS server, domain member |
RAS and IAS server |
Server Authentication |
Auto-enrollment |
Request a certificate with the Certificates snap-in |
Windows XP client, domain member |
Workstation Authentication |
Client Authentication |
Auto-enrollment |
Request a certificate with the Certificates snap-in |
VPN or IAS server, non-domain member |
RAS and IAS server |
Server Authentication |
CA Web enrollment tool |
Install from a floppy disk |
Windows XP client, non-domain member |
Workstation Authentication |
Client Authentication |
CA Web enrollment tool |
Install from a floppy disk |
Important
If your server running IAS is not a domain controller but is a member of a domain with a Windows 2000 mixed functional level, you must add the server to the access control list (ACL) of the RAS and IAS server certificate template. You must also configure the correct permissions for autoenrollment. There are different procedures for adding single servers and groups of servers to the ACL.
To add an individual server to the ACL for the RAS and IAS server certificate template:
In Certificate Templates, select the template RAS and IAS server, and then add the IAS server to the template Security properties. For more information, see Allow subjects to request a certificate that is based on the template. After you have added your IAS server to the ACL, grant Read, Enroll, and Autoenroll permissions.
To manage a group of servers, add the servers to a new global or universal group, and then add the group to the ACL of the certificate template:
In Active Directory Users and Computers, create a new global or universal group for IAS servers. For more information, see Create a new group. Next, add to the group all computers that are IAS servers, are not domain controllers, and are members of a domain with a Windows 2000 mixed functional level. For more information, see Add a member to a group.
In Certificate Templates, select the RAS and IAS server template, and then add the group you created to the template Security properties by completing the steps in Allow subjects to request a certificate that is based on the template. After you have added your new group, grant Read, Enroll, and Autoenroll permissions.
For more information, see Domain and forest functionality.
CA Web enrollment services
A set of CA Web pages is provided with Certificate Services in the Windows Server 2003 family. These Web enrollment pages allow you to connect to the CA through a Web browser and perform common tasks, such as requesting certificates from a CA.
For more information, see Certification authority Web enrollment services and Set up certification authority Web enrollment support.
After your PKI has been designed and deployed and you are assigned the required permissions on the certificate templates, you can request certificates for computers by using the CA Web enrollment pages. You can request a certificate for a non-domain member computer using the CA Web enrollment tool by completing the following steps. You must be an administrator on the local computer to complete these steps.
Install a computer certificate on the local computer
Use your Web browser to log onto the Web enrollment tool at https://serverName/certsrv, where serverName is the name of the server hosting the CA, the CA Web pages, or both. Click Request a certificate.
In Request a certificate, click Advanced Certificate Request.
In Advanced Certificate Request, click Create and submit a request to this CA. A Web form that contains the sections Certificate Template, Key Options, and Additional Options becomes available. Select the following:
Certificate template: Administrator
Key options: Create new key set
CSP: Microsoft Enhanced Cryptographic provider v1.0
Key usage: Exchange
Key size: 1024
Automatic key container name: Selected
Mark keys as exportable: Selected
Use local machine store: Selected
Request format: PKCS 10
Hash: SHA-1
Friendly name: VPN server name
Click Submit.
Click Install this certificate
The certificate you requested is installed on your local computer.
Save a computer certificate to floppy disk
Use your Web browser to log onto the Web enrollment tool at https://serverName/certsrv, where serverName is the name of the server hosting the CA, the CA Web pages, or both. Click Request a certificate.
In Request a certificate, click Advanced Certificate Request.
In Advanced Certificate Request, click Create and submit a request to this CA. A Web form that contains the sections Certificate Template, Key Options, and Additional Options becomes available. Select the following:
Certificate template: Administrator
Key options: Create new key set
CSP: Microsoft Enhanced Cryptographic provider v1.0
Key usage: Exchange
Key size: 1024
Automatic key container name: Selected
Mark keys as exportable: Selected
Export keys to file: Selected
Full path name: The path location where you want to save the file and the file name (for example, \\serverName\ShareName\FileName.pvk.).
Request format: PKCS 10
Hash: SHA-1
Friendly name: VPN server name
Click Submit.
Create and confirm your private key password.
In Certificate Issued, select DER encoded and Download certificate chain.
Insert a floppy disk in your disk drive.
When prompted by your browser, select Save this file to disk, and then click OK.
Browse to your floppy drive, and then click OK.
The certificate you requested is downloaded and saved to floppy disk.
For more information, see Submit an advanced certificate request via the Web.
For information about installing a certificate from floppy to the certificate store of a local computer, see Import a certificate.
Note
- If you have issued a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To change this, you can use Certificate Templates to create a new certificate for enrollment on your IAS server. In the certificate properties, on the Subject Name tab, in Subject name format, select a value other than None.