Re: 802.1X/EAP authentication issue with XP client
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 Sep 2006 13:14:03 -0700
=?Utf-8?B?am9lQQ==?= <joeA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:0EA13928-04CE-492C-BC63-1256B389ECC3@xxxxxxxxxxxxx:
Hi James,
After an initial inspection, it seems that neither scenario that you
described exists.
The current machine certificate was installed using the Request New
Certificate wizard via the certificates mmc UI (done with domain/user
local/admin privileges). The original machine certificate was the
result of machine autoenrollment. Either way.. the certificate landed
directly in the Personal\Certificates branch of the Local Computer
store.
Re file permissions... all met the levels you described as necessary.
I'll read the article on the DPAPI.. based on the errorlog it does
look like the answer is related to that.. the authentication mechanism
trying to get the cert/token et al.
Thanks very much!
Joe
"James McIllece [MS]" wrote:
snip<
Hi Joe --
We have agreement that the problem is one of two things -- either the
cert was manually moved in the cert store, which caused the private
key to become disassociated from the cert, or the permissions on the
private key are incorrect, which means that the system itself cannot
access the private key.
If the issue is the first one, you can simply reissue the cert and
specify the machine store (called Local Computer certificate store in
the UI) for storage. In the future if you need to move a cert, make
sure you export and then import the cert rather than using drag and
drop in the UI. Drag and drop breaks the cert.
If the issue is that the permissions are incorrect there are two
approaches to take:
1. Go to the properties of "%systemroot%\Documents and Settings\All
Users" and set the permission for System and Administrators to Full
Control. Make sure this replicates down to all subfolders.
2. (A more specific approach) Locate the "%Userprofile%\Application
Data\Microsoft\Crypto\RSA\<User SID>" for the user logged on. Set
the permissions for the System and Administrators to Full Control.
Then locate the "%Userprofile%\Application
Data\Microsoft\SystemCertificates\My\Certificates" for the user
logged on. Set the permissions for the System and Administrators to
Full Control.
See KB 309408 for more information.
HTH, let me know how it goes, if you will.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no
rights.
Thanks for this info, Joe -- I will run it by the team and see if they have
any additional suggestions for you.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- 802.1X/EAP authentication issue with XP client
- From: joeA
- Re: 802.1X/EAP authentication issue with XP client
- From: James McIllece [MS]
- Re: 802.1X/EAP authentication issue with XP client
- From: James McIllece [MS]
- Re: 802.1X/EAP authentication issue with XP client
- From: joeA
- Re: 802.1X/EAP authentication issue with XP client
- From: James McIllece [MS]
- Re: 802.1X/EAP authentication issue with XP client
- From: joeA
- 802.1X/EAP authentication issue with XP client
- Prev by Date: RE: The authentication request was dropped because the session timed o
- Next by Date: Re: Where does User Certificate store?
- Previous by thread: Re: 802.1X/EAP authentication issue with XP client
- Next by thread: certificate could not be found
- Index(es):
Relevant Pages
|
