Re: IAS, Cert & Wireless Problem (just started)

=?Utf-8?B?UmFq?= <Raj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:B4C49ABF-AB21-4830-A2E9-23FEE4AD071E@xxxxxxxxxxxxx:

Fantastic - you got it in one!

If I uncheck the Update Root Cert option (as per
http://support.microsoft.com/kb/317541) that fixes it. On our previous
build this wasn't enabled but must have crept into the new build along
with patches & updates.

My only query is -

What are the implications of not getting the updates and what is the
best workaround ? Is it simply a matter of ensuring the proxy is
configured in the client to allow the root cert updates or does a port
need to be opened on the firewall to allow these updates (eg whats the
mechanism by which this occurs) ?

Thanks again,

Raj.
"James McIllece [MS]" wrote:

=?Utf-8?B?UmFq?= <Raj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:CE1DAC48-38E2-4408-9131-50E51FC58CA9@xxxxxxxxxxxxx:

We've been operating a radius system with IAS on W2k3 quite happily
for several months.

Just in the last few days we've had authentication problems which
seems to point towards the verisign wireless cert (which is valid
for another 12 months).

In the system event log I see these for login attempts -

----
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client
configuration. ----

And in the App event log I see -

----
Failed auto update retrieval of third-party root list sequence
number from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/t
rus tedr/en/authrootseq.txt> with error: This network connection
does not exist. ----

Both of these are relatively recent - the System events started a
few days ago but the App events have been in the log off and on for
a couple of weeks so I'm unsure if its related.

People who have been setup pre the problem seem to still be OK but
any new systems don't work (even if the login credentials are OK on
an existing system). So it would seem the cert on the server isn't
behaving properly.

Has anyone else seen this behaviour or come up with a fix or even
have knowledge of why it would suddenly start happening ?

Cheers,
Raj.



Hi Raj --

Do all of the client computers (both the computers that have
successfully applied the third-party root CA list sequence number
update from Windows Update and the computers that have not) have the
Verisign CA cert in their Trusted Root CA store?

Also in the app log error it states that the network connection does
not exist; can the computers be plugged into the wire to obtain
updates?

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
rights.



Hi Raj --

Obviously it is best to have the most recent TRCA certs. The two issues I
can think of if they don't are:

-- An app you decide to deploy in the future might depend on a specific
cert that isn't installed on clients because they haven't been updated.
-- A cert that is already in the TRCA store on clients is revoked, but the
clients don't have the new version and erroneously trust the old one.

Depending on your deployment you might find Windows Server Update Services
(WSUS) useful. It allows you to manage Windows Updates more effectively,
and will allow you to keep all your clients up to date. You can check it
out at http://www.microsoft.com/technet/windowsserver/wsus/default.mspx.

HTH --

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: IAS, Cert & Wireless Problem (just started)
    ... If I uncheck the Update Root Cert option (as per ... What are the implications of not getting the updates and what is the best ... Do all of the client computers (both the computers that have successfully ...
    (microsoft.public.internet.radius)
  • Re: Trusted root CA certificates at the IIS Server
    ... MS updates are checked during intall. ... > disable these certificates and watch out for any problems? ... >> some external website whatever cert provider they had used. ...
    (microsoft.public.inetserver.iis.security)
  • Re: remote web access not working after windows update
    ... I have seen them hang after updates... ... Dirk-Thomas ... > In poking arround this newsgroup, many people seem to have a certificate ... > getting to the point where the IE client is prompted for the cert. ...
    (microsoft.public.windows.server.sbs)
  • Re: slow logon
    ... in the logon time have been reduced so far. ... update the time for the clients that talk to the dc as the logon server. ... start up script in AD to apply updates to the clients machines which is ...
    (microsoft.public.windows.server.active_directory)
  • Re: Clients not updating with WSUS 3.0
    ... I was talking about the one you see on the taskbar on the client, which indicates that there are updates waiting to be installed. ... The one you see next to an update within WSUS, is an indicator that the update has to be 'approved' before it will be rolled out. ... Right click on the update and approved it and then it will be scheduled to be pushed out to the clients. ... sitting at the server, in Update Services console, looking at the computers. ...
    (microsoft.public.windows.server.sbs)
Loading