Re: IAS System Rights / IAS + Win2003 SP1

have revoked/reissued certs, and imported into IIS ADMIN. Private key is
matched this time. haven't tested IAS yet, should be okay though. will
advise if otherwise.



"Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
news:%23lqFMW3QFHA.3628@xxxxxxxxxxxxxxxxxxxxxxx
> I think I've caused my own problem based on presumptions on how I thought
> Windows should work. Here was my process:
>
> 1. start IISADMIN, Web Publishing and HTTPS
> 2. generate cert request
> 3. disabled items from step 1
> 4. get cert from Verisign
> 5. import by double clicking certificate
>
>
> these steps dont seem to attach the private key, as evidenced by the test:
>
> certutil -repairstore My <THUMBPRINT>
>
> which returns::
>
> If the certutil command does not complete successfully, the following
error
> message is displayed: "Certutil: -repairstore command FAILED: 0x80090011
> (-2146893807) Certutil: Object was not found." This message indicates that
> the private key for the certificate does not exist in the certificate
store.
> You cannot install the certificate you obtained from the CA. Instead, you
> must generate a new certificate request, obtain the new certificate, and
> install that new certificate on your Web server.
>
>
> So I'll be off to generate a new cert request, and to get a new
certificate.
> This time, I'll import through IIS manager instead of disabling it so soon
> and using the cert MMC. I figured that would work!
>
>
> Not until we get deep into windows, do we realise it's quirks.
>
>
> jerry.
>
>
>
>
>
> "Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
> news:evGYe%232QFHA.3704@xxxxxxxxxxxxxxxxxxxxxxx
> > hmmm., you're right. I owe you a beer. There's no private key.
> >
> > What have I done wrong importing this certificate ?
> >
> >
> > "Thomas K" <thomas@xxxxxxxxx> wrote in message
> > news:426290d0$0$44102$5fc3050@xxxxxxxxxxxxxxxxxxxxxxxxxxx
> >> start / run / mmc / add/remove snapin / certificates / computer account
> >> if you only see user account, log back on with local administrator's
> >> privileges
> >> double click certificates (local computer), go to personal,
certificates
> >> you should see you cert there
> >> double click it
> >> does it read you have a private key corresponding with the cert? if not
> >> that's your problem
> >> if yes, right click the cert & export it to a .cer file that you can
post
> >> to anyone
> >>
> >> /T
> >>
> >>
> >>
> >> "Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
> >> news:O0rvvb2QFHA.1528@xxxxxxxxxxxxxxxxxxxxxxx
> >>> How can I get you that?
> >>>
> >>> One thing that troubles me... I generated the Cert request with IIS
> >>> manager, and lodged through verisign, and gave a challenge phrase at
the
> >>> verisign website. When the cert arrived, I imported direct into
> >>> computer's store. Usually I'd get asked for the challenge phrase, but
> >>> not with this certificate. Or am I just forgetting the process?
> >>>
> >>>
> >>> regards,
> >>> jerry.
> >>>
> >>>
> >>> "Thomas K" <thomas@xxxxxxxxx> wrote in message
> >>> news:42627eec$0$44108$5fc3050@xxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> Please post your certificate (without the private key)
> >>>>
> >>>> /T
> >>>>
> >>>> "Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
> >>>> news:%23EZkAD1QFHA.3928@xxxxxxxxxxxxxxxxxxxxxxx
> >>>>> Yep, checked that - it's all okay. I'm thinking the problem is
buried
> >>>>> more deeply within Windows.
> >>>>>
> >>>>> IAS Event logs with the failures include (see bottom).
> >>>>>
> >>>>> ccess request for user wtest was discarded.
> >>>>>
> >>>>> NAS-Port-Type = Wireless - IEEE 802.11
> >>>>>
> >>>>> NAS-Port = 754
> >>>>>
> >>>>> Proxy-Policy-Name = Use Windows authentication for all users
> >>>>>
> >>>>> Authentication-Provider = Windows
> >>>>>
> >>>>> Authentication-Server = <undetermined>
> >>>>>
> >>>>> Reason-Code = 300
> >>>>>
> >>>>> Reason = No credentials are available in the security package
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> "Thomas K" <thomas@xxxxxxxxx> wrote in message
> >>>>> news:426200a5$0$44102$5fc3050@xxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>>>> Check that the certificate you have received from verisign meets
the
> >>>>>> IAS requirements:
> >>>>>> 1/ Launch ias.msc
> >>>>>> 2/ Double click you remote access policy
> >>>>>> 3/ Click "Edit profile" button
> >>>>>> 4/ Go to "Authentication" Tab
> >>>>>> 5/ Click "EAP Methods" button
> >>>>>> 6/ Add "Protected EAP", OK
> >>>>>> 7/ Edit
> >>>>>>
> >>>>>> Do you see your certificate listed there
> >>>>>> - yes: reqs are met
> >>>>>> - not: guess what :-)
> >>>>>>
> >>>>>> /T
> >>>>>>
> >>>>>> "Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
> >>>>>> news:OtSXFYvQFHA.3704@xxxxxxxxxxxxxxxxxxxxxxx
> >>>>>>> What system rights and user rights are required for IAS.? I'm
> >>>>>>> trying to get to the bottom of the problem I'm having, and
wondering
> >>>>>>> if its a problem with 2003 SP1.
> >>>>>>>
> >>>>>>>> [2504] 14:38:05:175: No Cert Name. Guest access requested
> >>>>>>>> [2504] 14:38:05:175: AcquireCredentialsHandle failed and returned
> >>>>>>>> 0x8009030e
> >>>>>>>
> >>>>>>> Although the "No Cert Name" leads me to believe it's a problem
with
> >>>>>>> the certificate. The cert is registered correctly in the computers
> >>>>>>> cert store and the PEAP config screen shows it okay.
> >>>>>>>
> >>>>>>> This IAS is running on 2003 SP1 slipstreamed install, with the
> >>>>>>> firewall disabled, so its not possible to remove SP1 to see if
thats
> >>>>>>> causing this.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> jerry.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>


.