Re: IAS certificate needs reloaded on DC every day

James,

I changed the CA and added the RAS and IAS template so it could be issued.
I've changed the IAS configuration for the wireless client Remote Access
Policy with a cert issued using this template.
The machine authenticates, now, but when the user attempts a login a message
is displayed saying that the domain is not available.

Also, the original problem that I described - about the certificate not
being retained in IAS config... I believe that what was wrong is that these
changes are saved in the profile's Local Settings and this is a roaming
profile. With 2003, Local Settings are not being written back to the roaming
profile, so these are gone each time you log in. I am correcting this
situation.

Rick

"James McIllece [MS]" wrote:

Hi Rick --

The problem is that you need to configure the correct certificate template
(not the Domain Controller template) following the minimum server
certificate requirements.

All of the information you need to select the correct template and to
configure the template are found in the Help topic "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at http://technet.microsoft.com/en-us/library/cc759575.aspx.

That topic has the following sections:
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services

A few sections below "Certificate-based authentication and wireless
clients," you'll find a table that allows you to select the correct
template.

In "Certificate requirements for EAP" you'll find the information to
configure the template.


*********************
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.


=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
<LibrarySysadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:A143A233-594A-457C-9478-B306942C1377@xxxxxxxxxxxxx:

These are a few of the documents I've been trying to follow to get IAS
working with wireless clients. Most of them contain the steps for
creating/installing the cert on the IAS server.

http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://articles.techrepublic.com.com/5100-10878_11-6148560.html
http://www.cisco.com/en/US/products/ps6366/products_configuration_examp
le09186a0080921f67.shtml#inst2003 Securing Wireless LANs with PEAP and
Passwords (pdf) file downloaded and extracted from MS site.

Basically, I logged on the DC as the domain admin;
Opened MMC and Add Snap-In Certificates -> Local Computer
Expanded Personal -> Certificates (there are 2 certs already there,
but neither are recognized in IAS as ones that can be used);
Right click -> All Tasks -> Request New Certificate;
Complete the wizard using the Domain Controller template;
Certificate request completed, certificate issued from CA and
installed in Personal Ceritificates store - valid until August 2009.
Save and exit.
IAS configuration can use this certificate with PEAP configuration.

Note that Group Policy -> Default Domain Policy was configured for
AutoEnrollment and the CA is listed in the Trusted Root Cert
Authorities. Verified that this is in the Trusted Root Certificates
Authority of the DC while having the Certificates MMC open. Valid
until 2012.

Come back in tomorrow;
Open IAS. Drill back down through the config again, but when editing
PEAP get an error box saying there is no matching certificate.
Close all this.
Open MMC -> Certificates (previously saved)
The Personal -> Certificates store lists only the original 2
certificates. The newly created/issued cert is not there.
Click on import and pull it in again (have exported the .cer file from
the CA into a network folder)
Save and close.
Repeat each step the next day.

Rick

"James McIllece [MS]" wrote:

=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
<LibrarySysadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:66E5A10F-6A35-4A4D-9EFE-3CCFCDBC1CDC@xxxxxxxxxxxxx:

Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.

I'm setting up IAS to authenticate wireless devices and not having
much success, so far.

Following serveral pieces of documentation, while logged in as the
domain admin on the DCs, I requested a certificate from the CA,
installing it into the Personal Certificates store. I then used
this cert with IAS in the Remote Access Policy I've configured,
with the PEAP authentication configuration.

As I've been trying to get the whole RADIUS authentication process
to work, I keep rechecking configurations and I have found that
every day I have to reload the certificate on the DCs.

The certificate is valid and doesn't expire until August, 2009. It
displays on the CA as an Issued Certificate. I've already tried
revoking one and creating a second one and using that in the IAS
config, but the same thing is happening.

How do you get the cert installed without having to reload it every
day?

TIA
Rick

Hi Rick --

I'm curious about what docs you used to create your certs and enroll
them to IAS servers/DCs -- can you provide links to the docs or, if
they're Help topics, topic titles?

I also don't think I understand the situation -- are you saying that
after you have issued server certificates to the IAS servers, the
certificates are then deleted the next day from the Personal
certificate store for both the Local Computer and the Current User on
the IAS servers? Or are you saying the certs are there but they won't
work?

You say that you requested a certificate for the IAS servers -- I am
assuming you did this using the certificates snap-in, is that
correct? If so, the certificate isn't going to work for IAS
authentication purposes -- you must configure a certificate template
and then enroll the cert to servers. Did you configure a certificate
template (in the Certificate Templates MMC on the CA) based on the
minimum server certificate requirements detailed in the IAS Help?


*******
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
rights.




.

Relevant Pages

  • Re: IAS certificate needs reloaded on DC every day
    ... These are a few of the documents I've been trying to follow to get IAS ... Certificate request completed, certificate issued from CA and installed in ... IAS configuration can use this certificate with PEAP configuration. ... the Local Computer and the Current User on the IAS servers? ...
    (microsoft.public.internet.radius)
  • Re: IAS with PEAP and Airespace (now Cisco 1000)
    ... For what it's worth, we also tried using EAP-TLS (I changed the IAS, created ... >> I've gone over our configuration many times, ... > or they do not trust the CA that issued the server certificate to the IAS ...
    (microsoft.public.internet.radius)
  • Re: IAS certificate needs reloaded on DC every day
    ... The problem is that you need to configure the correct certificate template ... following the minimum server ... creating/installing the cert on the IAS server. ...
    (microsoft.public.internet.radius)
  • Re: IAS certificate
    ... Is there anyway to create a certificate template when the ... From the IAS server I used the web form to ...
    (microsoft.public.internet.radius)
  • Re: Moving IAS to new server
    ... certificate of the server and import it again on the IAS server. ... IAS server, so you will need to take the first one off line, join the new ... > Copy the file to the new server and use netsh commands to import the IAS> configuration. ...
    (microsoft.public.internet.radius)
Loading