Re: IKE failed to find valid machine certificate (Error 786)

From: Sharoon Shetty K (sharoons_at_online.microsoft.com)
Date: 05/05/04

  • Next message: Sharoon Shetty K: "Re: IKE failed to find valid machine certificate (Error 786)" 
    Date: Wed, 5 May 2004 13:00:28 +0530

    Hi Tony,

    Have you installed the certificates in the Local computer account?
    If you go to the Personal store of the certificates in the Local Computer,
    can you see the certificates? If you open the certificate, it should have
    details like
    Purpose: Proves your identity to a remote computer
    You have a private key that corresponds to this certificate.

    The above details indicate that a certificate.pfx has been installed in the
    personal store.

    Now in the Trusted Root Store the certificate would not have the above
    information.

    When you install the certificate from your CA,
     Request a certificate - installs cerficate.pfx in your personal store
    Download a CA certificate - installs the certificate.cer in your trusted
    root store.

    Thanks,
    Sharoon
    ---------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Tony Ashlee" <oxalis55@pacbell.net> wrote in message
    news:87EF0ADE-E6EA-4187-AAE7-C743494840C8@microsoft.com...
    > I have an Enterprise CA installed on the same server as our RAS server. My
    computers all have a certificate issued by the CA. Yet, I get an error when
    attempting to use L2TP that indicates that the computer does not have a
    certificate.
    > I read what Sharoon Shetty said about "The certificate.pfx must be
    installed in personal store and certificate.cer
    > in trusted root CA. If we put certificate.cer in both places, it fails
    with the error 786." but I cannot find any pfx files anywhere. Am I missing
    something obvious?
    >
    >
    > My Oakley log looks as follows: (I tweaked the IP addresses for security)
    > 5-03: 12:35:14:622:3d4 constructing ISAKMP Header
    > 5-03: 12:35:14:622:3d4 constructing KE
    > 5-03: 12:35:14:622:3d4 constructing NONCE (ISAKMP)
    > 5-03: 12:35:14:622:3d4 Constructing Cert Request
    > 5-03: 12:35:14:622:3d4 DC=edu, DC=ucsd, DC=sfsnt, CN=UCSD FAO
    > 5-03: 12:35:14:622:3d4
    > 5-03: 12:35:14:622:3d4 Sending: SA = 0x03E9A200 to 132.239.230.240:Type
    2.500
    > 5-03: 12:35:14:622:3d4 ISAKMP Header: (V1.0), len = 276
    > 5-03: 12:35:14:622:3d4 I-COOKIE 133a4fea3a07bd99
    > 5-03: 12:35:14:622:3d4 R-COOKIE 9599564dc5340ed4
    > 5-03: 12:35:14:622:3d4 exchange: Oakley Main Mode
    > 5-03: 12:35:14:622:3d4 flags: 0
    > 5-03: 12:35:14:622:3d4 next payload: KE
    > 5-03: 12:35:14:622:3d4 message ID: 00000000
    > 5-03: 12:35:14:622:3d4 Ports S:f401 D:f401
    > 5-03: 12:35:15:528:5a8 retransmit: sa = 03E9A200 centry 00000000 , count
    = 1
    > 5-03: 12:35:15:528:5a8
    > 5-03: 12:35:15:528:5a8 Sending: SA = 0x03E9A200 to 132.239.230.240:Type
    2.500
    > 5-03: 12:35:15:528:5a8 ISAKMP Header: (V1.0), len = 276
    > 5-03: 12:35:15:528:5a8 I-COOKIE 133a4fea3a07bd99
    > 5-03: 12:35:15:528:5a8 R-COOKIE 9599564dc5340ed4
    > 5-03: 12:35:15:528:5a8 exchange: Oakley Main Mode
    > 5-03: 12:35:15:528:5a8 flags: 0
    > 5-03: 12:35:15:528:5a8 next payload: KE
    > 5-03: 12:35:15:528:5a8 message ID: 00000000
    > 5-03: 12:35:15:528:5a8 Ports S:f401 D:f401
    > 5-03: 12:35:17:528:5a8 retransmit: sa = 03E9A200 centry 00000000 , count
    = 2
    > 5-03: 12:35:17:528:5a8
    > 5-03: 12:35:17:528:5a8 Sending: SA = 0x03E9A200 to 233.223.233.240:Type
    2.500
    > 5-03: 12:35:17:528:5a8 ISAKMP Header: (V1.0), len = 276
    > 5-03: 12:35:17:528:5a8 I-COOKIE 133a4fea3a07bd99
    > 5-03: 12:35:17:528:5a8 R-COOKIE 9599564dc5340ed4
    > 5-03: 12:35:17:528:5a8 exchange: Oakley Main Mode
    > 5-03: 12:35:17:528:5a8 flags: 0
    > 5-03: 12:35:17:528:5a8 next payload: KE
    > 5-03: 12:35:17:528:5a8 message ID: 00000000
    > 5-03: 12:35:17:528:5a8 Ports S:f401 D:f401
    > 5-03: 12:35:21:294:3d4
    > 5-03: 12:35:21:294:3d4 Receive: (get) SA = 0x03e9a200 from
    233.223.233.240.500
    > 5-03: 12:35:21:294:3d4 ISAKMP Header: (V1.0), len = 108
    > 5-03: 12:35:21:294:3d4 I-COOKIE 133a4fea3a07bd99
    > 5-03: 12:35:21:294:3d4 R-COOKIE 9599564dc5340ed4
    > 5-03: 12:35:21:294:3d4 exchange: ISAKMP Informational Exchange
    > 5-03: 12:35:21:294:3d4 flags: 1 ( encrypted )
    > 5-03: 12:35:21:294:3d4 next payload: HASH
    > 5-03: 12:35:21:294:3d4 message ID: 9bc5a034
    > 5-03: 12:35:21:294:3d4 processing HASH (Notify/Delete)
    > 5-03: 12:35:21:294:3d4 processing payload NONCE
    > 5-03: 12:35:21:294:3d4 processing payload DELETE
    > 5-03: 12:35:21:294:3d4 SA Dead. sa:03E9A200 status:35ef
    > 5-03: 12:35:21:294:3d4 isadb_set_status sa:03E9A200 centry:00000000
    status 35ef
    > 5-03: 12:35:21:294:3d4 Key Exchange Mode (Main Mode)
    > 5-03: 12:35:21:294:3d4 Source IP Address 233.223.233.23 Source IP
    Address Mask 255.255.255.255 Destination IP Address 233.223.233.240
    Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0
    Destination Port 0 IKE Local Addr 233.223.233.23 IKE Peer Addr
    233.223.233.240 IKE Source Port 500 IKE Destination Port 500 Peer Private
    Addr
    > 5-03: 12:35:21:294:3d4 Certificate based Identity. Peer IP Address:
    233.223.233.240
    > 5-03: 12:35:21:294:3d4 Me
    > 5-03: 12:35:21:294:3d4 IKE SA deleted by peer before establishment
    completed
    > 5-03: 12:35:21:294:3d4 Processed second (KE) payload Responder. Delta
    Time 7 0x0 0x0
    > 5-03: 12:35:21:294:3d4 Received reliable Notify. Messid 9bc5a034
    > 5-03: 12:35:21:294:3d4 constructing ISAKMP Header
    > 5-03: 12:35:21:294:3d4 constructing HASH (null)
    > 5-03: 12:35:21:294:3d4 constructing NONCE (ND)
    > 5-03: 12:35:21:294:3d4 constructing HASH (Notify/Delete)
    > 5-03: 12:35:21:294:3d4
    > 5-03: 12:35:21:294:3d4 Sending: SA = 0x03E9A200 to 233.223.233.240:Type
    1.500
    > 5-03: 12:35:21:294:3d4 ISAKMP Header: (V1.0), len = 108
    > 5-03: 12:35:21:294:3d4 I-COOKIE 133a4fea3a07bd99
    > 5-03: 12:35:21:294:3d4 R-COOKIE 9599564dc5340ed4
    > 5-03: 12:35:21:294:3d4 exchange: ISAKMP Informational Exchange
    > 5-03: 12:35:21:294:3d4 flags: 1 ( encrypted )
    > 5-03: 12:35:21:294:3d4 next payload: HASH
    > 5-03: 12:35:21:294:3d4 message ID: 9bc5a034
    > 5-03: 12:35:21:294:3d4 Ports S:f401 D:f401
    > 5-03: 12:36:01:558:c70 ClearFragList
    >

  • Next message: Sharoon Shetty K: "Re: IKE failed to find valid machine certificate (Error 786)"

    Relevant Pages

    • Installing Certificate Services with winnt.sif
      ... I made a winnt.sif file that installs Windows Server 2003 Enterprise ... together with IIS and Certificate services. ... the certificate request website is not installed. ... CAMachine = gip-server ...
      (microsoft.public.windows.server.setup)
    • RE: Certificate Store access problem
      ... How is your service accessing the certificate? ... the client certificate is installed into the personal store for the ... user who installs it. ... This posting is provided “AS IS” with no warranties, and confers no rights. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Windows Mobile 6.1 Wi-Fi Support
      ... On your device you should see WPA2-PSK and WPA2 as the encryption options. ... corporate we use WPA2 enterprise and I can connect my Touch Pro with no ... This still sounds like a certificate issue to me. ... IPS Servidores installs as a root certificate... ...
      (microsoft.public.pocketpc.wireless)
    • Re: IKE failed to find valid machine certificate (Error 786)
      ... When I go to the local computer's personal store, the certificate properties are as you describe. ... When looking at the CA Local Certficates, that computer has it's own certificate in the personal store. ... "Download a CA certificate - installs the certificate.cer in your trusted ... Now in the Trusted Root Store the certificate would not have the above ...
      (microsoft.public.win2000.ras_routing)
    • Unattended setup but certificate services doesnt install
      ... I made a winnt.sif file that installs Windows Server 2003 ... Enterprise Edition together with IIS and Certificate ... Windows Components Setup -> Select Certificate Services - ...
      (microsoft.public.windows.server.general)