I stand corrected re. connecting when domain membership is canceled, an
But a legit certificate doesn't mean that it is presented by a computer that
is a member of the domain and conforms to the SOE (which is usually the
goal, and which is facilitated through NAP).
Case in point: I steal an _image_ of a corporate desktop. The certificate is
there, and it's available to me - unless syskey protection is enabled, or
full disk encryption is used - both are used less widely than corporate
wireless networks. And I can modify the system beyond all recognition - it
will still present a certificate corresponding to a valid domain member.
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-