Re: 802.1X/EAP authentication issue with XP client

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi James,

After an initial inspection, it seems that neither scenario that you
described exists.

The current machine certificate was installed using the Request New
Certificate wizard via the certificates mmc UI (done with domain/user
local/admin privileges). The original machine certificate was the result of
machine autoenrollment. Either way.. the certificate landed directly in the
Personal\Certificates branch of the Local Computer store.

Re file permissions... all met the levels you described as necessary.

I'll read the article on the DPAPI.. based on the errorlog it does look like
the answer is related to that.. the authentication mechanism trying to get
the cert/token et al.

Thanks very much!
Joe



"James McIllece [MS]" wrote:

snip<

Hi Joe --

We have agreement that the problem is one of two things -- either the cert
was manually moved in the cert store, which caused the private key to
become disassociated from the cert, or the permissions on the private key
are incorrect, which means that the system itself cannot access the private
key.

If the issue is the first one, you can simply reissue the cert and specify
the machine store (called Local Computer certificate store in the UI) for
storage. In the future if you need to move a cert, make sure you export and
then import the cert rather than using drag and drop in the UI. Drag and
drop breaks the cert.

If the issue is that the permissions are incorrect there are two approaches
to take:

1. Go to the properties of "%systemroot%\Documents and Settings\All Users"
and set the permission for System and Administrators to Full Control. Make
sure this replicates down to all subfolders.

2. (A more specific approach) Locate the "%Userprofile%\Application
Data\Microsoft\Crypto\RSA\<User SID>" for the user logged on. Set the
permissions for the System and Administrators to Full Control. Then locate
the "%Userprofile%\Application
Data\Microsoft\SystemCertificates\My\Certificates" for the user logged on.
Set the permissions for the System and Administrators to Full Control.

See KB 309408 for more information.

HTH, let me know how it goes, if you will.




--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: 802.1X/EAP authentication issue with XP client
    ... The current machine certificate was installed using the Request New ... Re file permissions... ... cert was manually moved in the cert store, ...
    (microsoft.public.internet.radius)
  • Using machine cert for 2nd factor VPN authentication as a normal u
    ... We want to use the machine certificate as the second factor for VPN ... authentication with our Anira solution, but are having a problem with the ... NTFS permissions of the certificate. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Insurance Certificates Database
    ... table based on a questionnaire, ... We did have a commercial certificate tracking application a while back, ... I agree my Indefinite Cert Fields look like fixed attributes of the ... firm. ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Insurance Certificates Database
    ... I agree my Indefinite Cert Fields look like fixed attributes of the ... piece of data as an attribute of the insurance certificate (excepting firm ID ... The Policies table presents more of a problem than the Certs table, ... I suggested having a different table for each type of policy to solve this ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Insurance Certificates Database
    ... table based on a questionnaire, ... We did have a commercial certificate tracking application a while back, ... breaking the data down into various tables, ie normalization. ... I agree my Indefinite Cert Fields look like fixed attributes of the ...
    (microsoft.public.access.tablesdbdesign)