Re: IAS certificate needs reloaded on DC every day

Hi Rick --

The problem is that you need to configure the correct certificate template
(not the Domain Controller template) following the minimum server
certificate requirements.

All of the information you need to select the correct template and to
configure the template are found in the Help topic "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at http://technet.microsoft.com/en-us/library/cc759575.aspx.

That topic has the following sections:
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services

A few sections below "Certificate-based authentication and wireless
clients," you'll find a table that allows you to select the correct
template.

In "Certificate requirements for EAP" you'll find the information to
configure the template.


*********************
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.


=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
<LibrarySysadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:A143A233-594A-457C-9478-B306942C1377@xxxxxxxxxxxxx:

These are a few of the documents I've been trying to follow to get IAS
working with wireless clients. Most of them contain the steps for
creating/installing the cert on the IAS server.

http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://articles.techrepublic.com.com/5100-10878_11-6148560.html
http://www.cisco.com/en/US/products/ps6366/products_configuration_examp
le09186a0080921f67.shtml#inst2003 Securing Wireless LANs with PEAP and
Passwords (pdf) file downloaded and extracted from MS site.

Basically, I logged on the DC as the domain admin;
Opened MMC and Add Snap-In Certificates -> Local Computer
Expanded Personal -> Certificates (there are 2 certs already there,
but neither are recognized in IAS as ones that can be used);
Right click -> All Tasks -> Request New Certificate;
Complete the wizard using the Domain Controller template;
Certificate request completed, certificate issued from CA and
installed in Personal Ceritificates store - valid until August 2009.
Save and exit.
IAS configuration can use this certificate with PEAP configuration.

Note that Group Policy -> Default Domain Policy was configured for
AutoEnrollment and the CA is listed in the Trusted Root Cert
Authorities. Verified that this is in the Trusted Root Certificates
Authority of the DC while having the Certificates MMC open. Valid
until 2012.

Come back in tomorrow;
Open IAS. Drill back down through the config again, but when editing
PEAP get an error box saying there is no matching certificate.
Close all this.
Open MMC -> Certificates (previously saved)
The Personal -> Certificates store lists only the original 2
certificates. The newly created/issued cert is not there.
Click on import and pull it in again (have exported the .cer file from
the CA into a network folder)
Save and close.
Repeat each step the next day.

Rick

"James McIllece [MS]" wrote:

=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
<LibrarySysadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:66E5A10F-6A35-4A4D-9EFE-3CCFCDBC1CDC@xxxxxxxxxxxxx:

Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.

I'm setting up IAS to authenticate wireless devices and not having
much success, so far.

Following serveral pieces of documentation, while logged in as the
domain admin on the DCs, I requested a certificate from the CA,
installing it into the Personal Certificates store. I then used
this cert with IAS in the Remote Access Policy I've configured,
with the PEAP authentication configuration.

As I've been trying to get the whole RADIUS authentication process
to work, I keep rechecking configurations and I have found that
every day I have to reload the certificate on the DCs.

The certificate is valid and doesn't expire until August, 2009. It
displays on the CA as an Issued Certificate. I've already tried
revoking one and creating a second one and using that in the IAS
config, but the same thing is happening.

How do you get the cert installed without having to reload it every
day?

TIA
Rick

Hi Rick --

I'm curious about what docs you used to create your certs and enroll
them to IAS servers/DCs -- can you provide links to the docs or, if
they're Help topics, topic titles?

I also don't think I understand the situation -- are you saying that
after you have issued server certificates to the IAS servers, the
certificates are then deleted the next day from the Personal
certificate store for both the Local Computer and the Current User on
the IAS servers? Or are you saying the certs are there but they won't
work?

You say that you requested a certificate for the IAS servers -- I am
assuming you did this using the certificates snap-in, is that
correct? If so, the certificate isn't going to work for IAS
authentication purposes -- you must configure a certificate template
and then enroll the cert to servers. Did you configure a certificate
template (in the Certificate Templates MMC on the CA) based on the
minimum server certificate requirements detailed in the IAS Help?


*******
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
rights.



.

Relevant Pages

  • Re: IAS certificate needs reloaded on DC every day
    ... I changed the CA and added the RAS and IAS template so it could be issued. ... I've changed the IAS configuration for the wireless client Remote Access ... The problem is that you need to configure the correct certificate template ...
    (microsoft.public.internet.radius)
  • Re: Problem setting the "Valid To" for EFS certificates
    ... You seem to be THE MAN on EFS since I ... credential roaming will work is that the server will request the private key ... unless an EFS certificate and private key exist in the user's profile on ... Basic EFS template and created a new template. ...
    (microsoft.public.windows.server.security)
  • Re: Does WINDOWS 2003 IAS require Certificate services
    ... For PEAP, a server certificate is required. ... >>> PEAP _requires_ a server certificate on the IAS server. ...
    (microsoft.public.internet.radius)
  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: Remote access policy
    ... certificate and server certificate .I want to connect the wireless XP ... There is a Help topic in IAS Help that tells the minimum server cert ... This is correct -- the Help topic is "Network access authentication and ...
    (microsoft.public.internet.radius)
Loading