Re: IAS System Rights / IAS + Win2003 SP1

I think I've caused my own problem based on presumptions on how I thought
Windows should work. Here was my process:

1. start IISADMIN, Web Publishing and HTTPS
2. generate cert request
3. disabled items from step 1
4. get cert from Verisign
5. import by double clicking certificate


these steps dont seem to attach the private key, as evidenced by the test:

certutil -repairstore My <THUMBPRINT>

which returns::

If the certutil command does not complete successfully, the following error
message is displayed: "Certutil: -repairstore command FAILED: 0x80090011
(-2146893807) Certutil: Object was not found." This message indicates that
the private key for the certificate does not exist in the certificate store.
You cannot install the certificate you obtained from the CA. Instead, you
must generate a new certificate request, obtain the new certificate, and
install that new certificate on your Web server.


So I'll be off to generate a new cert request, and to get a new certificate.
This time, I'll import through IIS manager instead of disabling it so soon
and using the cert MMC. I figured that would work!


Not until we get deep into windows, do we realise it's quirks.


jerry.





"Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
news:evGYe%232QFHA.3704@xxxxxxxxxxxxxxxxxxxxxxx
> hmmm., you're right. I owe you a beer. There's no private key.
>
> What have I done wrong importing this certificate ?
>
>
> "Thomas K" <thomas@xxxxxxxxx> wrote in message
> news:426290d0$0$44102$5fc3050@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>> start / run / mmc / add/remove snapin / certificates / computer account
>> if you only see user account, log back on with local administrator's
>> privileges
>> double click certificates (local computer), go to personal, certificates
>> you should see you cert there
>> double click it
>> does it read you have a private key corresponding with the cert? if not
>> that's your problem
>> if yes, right click the cert & export it to a .cer file that you can post
>> to anyone
>>
>> /T
>>
>>
>>
>> "Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
>> news:O0rvvb2QFHA.1528@xxxxxxxxxxxxxxxxxxxxxxx
>>> How can I get you that?
>>>
>>> One thing that troubles me... I generated the Cert request with IIS
>>> manager, and lodged through verisign, and gave a challenge phrase at the
>>> verisign website. When the cert arrived, I imported direct into
>>> computer's store. Usually I'd get asked for the challenge phrase, but
>>> not with this certificate. Or am I just forgetting the process?
>>>
>>>
>>> regards,
>>> jerry.
>>>
>>>
>>> "Thomas K" <thomas@xxxxxxxxx> wrote in message
>>> news:42627eec$0$44108$5fc3050@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> Please post your certificate (without the private key)
>>>>
>>>> /T
>>>>
>>>> "Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
>>>> news:%23EZkAD1QFHA.3928@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Yep, checked that - it's all okay. I'm thinking the problem is buried
>>>>> more deeply within Windows.
>>>>>
>>>>> IAS Event logs with the failures include (see bottom).
>>>>>
>>>>> ccess request for user wtest was discarded.
>>>>>
>>>>> NAS-Port-Type = Wireless - IEEE 802.11
>>>>>
>>>>> NAS-Port = 754
>>>>>
>>>>> Proxy-Policy-Name = Use Windows authentication for all users
>>>>>
>>>>> Authentication-Provider = Windows
>>>>>
>>>>> Authentication-Server = <undetermined>
>>>>>
>>>>> Reason-Code = 300
>>>>>
>>>>> Reason = No credentials are available in the security package
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> "Thomas K" <thomas@xxxxxxxxx> wrote in message
>>>>> news:426200a5$0$44102$5fc3050@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Check that the certificate you have received from verisign meets the
>>>>>> IAS requirements:
>>>>>> 1/ Launch ias.msc
>>>>>> 2/ Double click you remote access policy
>>>>>> 3/ Click "Edit profile" button
>>>>>> 4/ Go to "Authentication" Tab
>>>>>> 5/ Click "EAP Methods" button
>>>>>> 6/ Add "Protected EAP", OK
>>>>>> 7/ Edit
>>>>>>
>>>>>> Do you see your certificate listed there
>>>>>> - yes: reqs are met
>>>>>> - not: guess what :-)
>>>>>>
>>>>>> /T
>>>>>>
>>>>>> "Jerry Cantrell" <jerry@xxxxxxxxx> wrote in message
>>>>>> news:OtSXFYvQFHA.3704@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> What system rights and user rights are required for IAS.? I'm
>>>>>>> trying to get to the bottom of the problem I'm having, and wondering
>>>>>>> if its a problem with 2003 SP1.
>>>>>>>
>>>>>>>> [2504] 14:38:05:175: No Cert Name. Guest access requested
>>>>>>>> [2504] 14:38:05:175: AcquireCredentialsHandle failed and returned
>>>>>>>> 0x8009030e
>>>>>>>
>>>>>>> Although the "No Cert Name" leads me to believe it's a problem with
>>>>>>> the certificate. The cert is registered correctly in the computers
>>>>>>> cert store and the PEAP config screen shows it okay.
>>>>>>>
>>>>>>> This IAS is running on 2003 SP1 slipstreamed install, with the
>>>>>>> firewall disabled, so its not possible to remove SP1 to see if thats
>>>>>>> causing this.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> jerry.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.