Re: IAS certificate needs reloaded on DC every day

James,

I have to admit that I'm really confused, now.
This is the first thing I've seen or read that says the certificate for the
IAS server needs to use the RAS and IAS template for setting up the wireless
client authentication.

In any event, I followed the link.
Reading through the part on Certificate based authentication and wireless
clients, then the chart at the bottom says that the RAS and IAS Server
Certificate is preferred and the preferred method of installing is through
autoenrollment. I also followed the procedures about opening the RAS and IAS
Server Template and setting the Security tab permissions to Read, Enroll and
AutoEnroll for the RAS and IAS Security Group - of which the domain
controllers are members.

Using Group Policy, I opened the Default Domain Controller OU, then edit
Computer Config -> Windows Settings -> Security Settings -> Public Key
Policies -> Automatic Certificate Request Settings. When I try to create a
new request, the only templates available are Computer, Domain Controller,
Enrollment Agent (Computer) and IPSEC. No RAS and IAS Server template and I
also note that only Computer and Domain Controller templates are intended for
Client and Server Authentication.

Closing that, I log on to the domain controller and open Certificates
(local) and expand Personal -> Certificates. Start the Request New
Certificate dialog and the only templates available are Directory Email
Replication, Domain Controller and Domain Controller Authentication. Again,
no RAS and IAS Server template. Also of note is that the Certificates MMC ->
Personal -> Certificates already lists issued/installed certs for Directory
Email Replication and Domain Controller Authentication, neither of which IAS
recognizes as being valid for PEAP configuration.

Also tried the Web based enrollment. The RAS and IAS Server template is not
available through this method, either.

Kind of stuck at this point.
Brain dead, too. I didn't think the RADIUS setup looked to difficult to set
up, but this just isn't working for wireless authentication through a
controller.

"James McIllece [MS]" wrote:

Hi Rick --

The problem is that you need to configure the correct certificate template
(not the Domain Controller template) following the minimum server
certificate requirements.

All of the information you need to select the correct template and to
configure the template are found in the Help topic "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at http://technet.microsoft.com/en-us/library/cc759575.aspx.

That topic has the following sections:
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services

A few sections below "Certificate-based authentication and wireless
clients," you'll find a table that allows you to select the correct
template.

In "Certificate requirements for EAP" you'll find the information to
configure the template.


*********************
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.


=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
<LibrarySysadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:A143A233-594A-457C-9478-B306942C1377@xxxxxxxxxxxxx:


.

Relevant Pages

  • Re: Event ID 13 - automatic certificate enrollment error
    ... add Domain Controllers to it and check enroll ... > MMC for the certificate authority I can see the certificate templates ... > folder and when I select it I can then see Domain Controller on the ... > manage I can see the template Domain Controller. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Microsoft PKI: problem with autoenrollment for domain controllers
    ... Microsoft CAs are hard coded to request the Domain Controller certificate. ... WIndows SErver 2003 introduced the Domain Controller AUthentication certificate template, ...
    (microsoft.public.windows.server.security)
  • Re: PKI: Issue Computer Certificate
    ... Server" certificate template and changed only the security settings so ... The IAS Server is a member of the mentioned group. ... Web Enrollment Page ("create an submit request to this ca") on the IAS ...
    (microsoft.public.windows.server.security)
  • Issuing Domain Controller certificates manually
    ... this certificate template (as well as the Computer certificate ... generating a certificate request on the domain controller). ... If you use the web interface, you will notice that these two ...
    (microsoft.public.win2000.security)
  • Re: Event ID 13 - automatic certificate enrollment error
    ... I'm having problems understanding how to set permissions. ... MMC for the certificate authority I can see the certificate templates folder ... I can see the template Domain Controller. ...
    (microsoft.public.windows.server.active_directory)
Loading