SolutionBase: Understanding Windows Wireless Provisioning Services (WPS)

Managing wireless networks can be a challenging task. To help make things easier, Microsoft has created Windows Wireless Provisioning Services as an add-on for Windows Server 2003. Here's how it works.

Microsoft built Windows XP and Server 2003 to be wireless friendly. Out of the box, it's easy to set up a connection to a wireless network. However, when users log on to a public wireless hotspot such as those available in airports, hotels and restaurants, it sometimes takes some tweaking to get Internet access. One of the feature updates included with Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 is Wireless Provisioning Services (WPS). WPS enhances the wireless client software built into XP and Server 2003, to automate the process of connecting to wireless networks (public or private) to access the Internet. Here's how WPS works and how it can help simplify the process of providing and connecting to a WISP or hotspot.

Advantages of WPS

With WPS on Server 2003 SP1, you will be able to become a Wireless Internet Services Provider (WISP) or hotspot provider. WPS on Windows XP SP2 allows your customers to connect to your network without having to make manual configuration changes. A WISP is an ISP that also provides hotspots. A hotspot provider connects to an ISP, and allows its customers to connect to the Internet through its ISP connection.

The big advantage of WPS is on the client side: your wireless clients don't need any special technical knowledge to connect and access the Internet through your service. They are able to create their user accounts and automatically get all the necessary configuration settings either over the Internet, prior to coming to your wireless site (called pre-provisioning), or on-site at the hotspot. Client computers don't require any extra software installed; they just need to have applied XP Service Pack 2. Neither the administrator nor the customer has to do anything to the client computers.

From the server side, the WPS software comes with Service Pack 1 and you don't need third party solutions. The provisioning server runs on IIS, which is part of Windows Server 2003 (or it can be run on a third-party Web server if you prefer). The RADIUS authentication service used to authenticate WPS users can be provided by Internet Authentication Service (IAS), which is included with Windows Server 2003 (it is also possible to use a third party RADIUS server).

The parts and pieces: WPS components

There are two parts to the WPS software in XP SP2. The network provisioning service (NPS) gets the configuration information (contained in XML files) from the server so that it can be automatically applied. SP2 also includes a version of the Wireless Zero Configuration service called Wireless Auto Configuration that works with works with NPS.

The server-side components of WPS consist of:

  • The provisioning server (a Windows Server 2003 SP1 computer running IIS or a third party Web server running a WPS Web application that can process XML files).
  • A RADIUS server (a Windows Server 2003 SP1 computer running IAS and configured with a certificate issued by a public CA, which is used for PEAP authentication of wireless clients).
  • Active Directory or an LDAP database for storing wireless customers' account information.
  • A DHCP server to provide wireless clients with IP addresses.
  • A SQL server or other database server to hold a promotion code database.

In addition, your wireless access points need to support Virtual Local Area Networks (VLANs) or IP filtering. One of these methods is used to identify clients that are not authenticated and give them limited access to the provisioning server, from which they can obtain credentials after they provide the necessary information (and payment, if applicable). The WAP also needs to be configured to be a RADIUS client.

The XML master and subfiles

The master XML file used by WPS points the client computers to the location of the subfiles that contain provisioning/configuration information. The subfiles include:

  • SSID subfile: defines the SSID or wireless network name
  • XML branding subfile: contains branding information (such as company name and/or hotspot name)
  • XML location subfile: contains a list of hotspot locations so clients know where they can go to access your service
  • XML help subfile: contains an MHTML help file for the use of your clients
  • XML connection subfile: contains server validation settings and server names, as well as the hash of a certificate to designate the CA certificates to be used by clients to determine whether to trust the provisioning and IAS servers

The XML files used by WPS can be generated by the Wireless Provisioning Services Authoring Tool, which can be downloaded from the Microsoft Download Center. You can also use this graphical tool to create a WPS signup wizard for wireless clients to use to sign up for your service. The tool can be run on Windows XP SP2 or Windows Server 2003 SP1 computers.

Deploying WPS technology

There are several scenarios for deploying WPS, depending on whether you will use VLANs or IP filtering to identify and isolate unauthenticated clients. Exact configuration details will vary depending on your scenario, but there are several basic steps involved, including:

  • Configuring the provisioning server
  • Configuring Active Directory
  • Configuring the IAS server
  • Configuring the DHCP server

Configuring the Provisioning Server

The provisioning server must be configured with:

  • Web server software (IIS or a third party Web server) that uses HTTPS.
  • A Web application that can process the XML file containing account and payment information that is created by the XP SP2 client and sent to the provisioning server. The application creates an account for the customer in Active Directory or another LDAP database.
  • XML files that contain the configuration information that is returned to the client. This includes a master file and subfiles.
  • A server certificate issued by a CA that is trusted by the clients. XP computers trust public CAs such as Verisign by default.

Which CAs does XP trust?

To see the list of root certification authorities that Windows XP clients trust by default, click Start | Run and type mmc. In the new empty management console, click File | Add/Remove Snap-in. In the Add/Remove Snap-in dialog box, click the Add button. Select Certificates in the list of available standalone snap-ins and click Close, then click OK.

In the left pane of the Certificates MMC, expand Trusted Root Certification Authority and click Certificates. In the right details pane, you will see a list of CAs that are trusted.

On Windows Server 2003, IIS is not installed by default. You can install it as a Windows component through the Add/Remove Programs applet in Control Panel.

You'll need to install the .NET Framework if it isn't already installed, and then register ASP.NET. To do so, type this line at the command line:

%WINDIR%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe I

Next, create a folder where you will store your Web application files. Install the Web application into this folder and configure user permissions to enable Write permissions on the folder for Everyone.

Create a second folder where you will store the XML files (master and subfiles).

Enable HTTPS by installing a server certificate issued by a public CA.

Configuring Active Directory

If Active Directory isn't already installed, you'll need to run dcpromo to install it. Next, create one or more security groups to be used by wireless clients. If you want different clients to have different permissions, you can create more than one group and configure permissions for each group separately. These groups will be used in the IAS remote access policy.

By default, the Guest account in Windows Server 2003 Active Directory is disabled. You must enable it to use WPS, because a client that doesn't yet have credentials uses the guest account in the first phase of network access, to log on and obtain the proper credentials.

You will also need to raise the functional level of the domain to Windows 2000 native or higher. First be sure that you don't have any NT 4.0 domain controllers in the domain. If all of your domain controllers run Windows Server 2003, you can raise the functional level to Windows Server 2003.


To raise the functional level of the domain, use the Active Directory Domains and Trusts administrative tool. You must be a domain administrator or enterprise administrator to do this.

Configuring the IAS server

IAS is not installed in Windows Server 2003 by default. You'll need to install it as a Windows component through the Add/Remove Programs applet in Control Panel.

IAS must be registered in Active Directory so it can use the AD user accounts. You can register the IAS server from the IAS MMC (right click Internet Authentication Service in the console tree and select Register Server in Active Directory) or by typing netsh ras add registeredserver at the command line.

You must delete the default remote access policies on the IAS server and then configure two remote access policies to be used by WPS:

  1. A Guest Access Policy used by clients that don't yet have user accounts
  2. A Valid Users Access Policy used by clients that have already obtained user credentials
These policies are configured via the IAS MMC (right click Remote Access Policies in the console tree, select New Remote Access Policy and the wizard will walk you through the steps. Make sure the Valid Users policy is at the top of the list because the policies are evaluated in order and valid users won't be able to authenticate if the Guest Access policy is first.

You'll also need to edit the registry of the computer running IAS to use it with WPS. This is done by creating a new DWORD value in the following key:


Name the new value EnableWPSCompatibility and set the data value to 1 to enable it. You can disable it by setting the value to 0.

When you enable this value, a checkbox for Protected EAP (PEAP) will appear in the Authentication choices when you perform the following steps:

  1. In the left pane of the IAS MMC, double click Connection Request Processing.
  2. Click Connection Request Policies.
  3. In the right pane, double click the default policy (Use Windows authentication for all users).
  4. Click Edit Profile.
  5. Click the Authentication tab.
  6. The Protected EAP checkbox appears in the section labeled Authenticate requests on this server. Ensure that it is checked.
  7. The IAS server also needs a certificate issued by a public CA with the Server Authentication purpose in Enhanced Key Usage (EKU) extensions.


The server certificates that you get from the public CA must meet certain requirements. The Subject name value cannot be blank, the certificate must pass all the criteria checks in the remote access policy, Microsoft RSA SChannel must be configured as the Cryptographic Service Provider (CSP), and the Subject Alternative Name must contain the server's DNS name.

The IAS server uses PEAP-TLV (Type-Length-Value), which is added by Server 2003 SP1. It must be configured to give the client computers the secure URL (HTTPS) for the location of the provisioning server where the clients can get the XML files. It must also be configured with an "action parameter" for the tasks the client can request to perform, such as signing up for the hotspot service or changing their passwords.

Configuring the DHCP server

You'll need a Windows Server 2003 DHCP server to assign IP addresses to the wireless clients. If you are using VLANs to identify and isolate unauthenticated clients, you'll need to create DHCP scopes for the VLANs.

You'll also need to make sure the DHCP server is authorized in Active Directory. If the DHCP server is running on a domain controller, it will be authorized when you add it to the DHCP console. If it's running on a member server, you'll need to manually authorize it. To do so, open the DHCP MMC, click DHCP in the console tree, click the Action menu and select Manage authorized servers. In the dialog box, click Authorize and then enter the IP address or name of the DHCP server.

Configuring the Database Server

Your SQL or other database server needs to be set up with a database that contains these fields:

  • Promotion code field
  • User name field
  • Domain name field
  • Security group field
  • Expiration date field
  • Ensure that permissions on the database are configured so that the Web application can read and write to it.


The security group field in the database must be the same as the security group name in Active Directory, and this same value must match the security group name in the Valid User Policy.

The WPS connection process

The client computer can be preprovisioned. This means the wireless laptop will be ready to connect as soon as it gets to the hotspot. Preprovisioning can be done over the Internet. The customer connects to the WISP's Web site, creates a user account and gets the XML configuration file which is used to configure the network settings for accessing the hotspot. An OEM could even preprovision computers it sells to connect to a particular WISP's hotspots, so customers don't have to do anything to be able to use that WISP's service.

If the client isn't preprovisioned, it is provisioned on-site at the hotspot. The computer first connects as a guest, since it doesn't yet have user account credentials. As a guest, the client can't access the Internet, but can access the servers needed to enter information for creating an account (including credit card information to make payment for the service). Once this is done, the client is authenticated with the account credentials. Now the client computer can access the Internet. Microsoft calls this process phased network access because the client gets only access to the provisioning servers and DHCP server on your network in the first phase, then gets full access to the Internet in the second phase.


WPS will make it easier to set up a wireless hotspot for commercial purposes or within your enterprise network, and will make it easier for clients to connect because configuration is done for them. WPS support is added to Windows XP (both Home and Professional Editions) by Service Pack 2, and will be added to Server 2003 by Service Pack 1. There are a number of different ways to deploy WPS, depending on whether you want to use it as a WISP, a hotspot provider using an ISP, or in the enterprise, and depending on whether you want to use VLANs or IP filtering to identify and isolate unauthenticated clients. For detailed step by step instructions on implementing each of these scenarios, download the WPS deployment paper from the Microsoft Download Center at

By Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...