Re: IKE failed to find valid machine certificate (Error 786)

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Sharoon Shetty K (sharoons_at_online.microsoft.com)
Date: 05/05/04 

Date: Wed, 5 May 2004 13:06:59 +0530

pfx stands for Personal Information Exchange and cer stands for Certificate.

Thanks,
Sharoon
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

"Sharoon Shetty K" <sharoons@online.microsoft.com> wrote in message
news:eKgfeLnMEHA.684@TK2MSFTNGP09.phx.gbl...
> Hi Tony,
>
> Have you installed the certificates in the Local computer account?
> If you go to the Personal store of the certificates in the Local Computer,
> can you see the certificates? If you open the certificate, it should have
> details like
> Purpose: Proves your identity to a remote computer
> You have a private key that corresponds to this certificate.
>
> The above details indicate that a certificate.pfx has been installed in
the
> personal store.
>
> Now in the Trusted Root Store the certificate would not have the above
> information.
>
> When you install the certificate from your CA,
> Request a certificate - installs cerficate.pfx in your personal store
> Download a CA certificate - installs the certificate.cer in your trusted
> root store.
>
> Thanks,
> Sharoon
> ---------------------------------------------------------
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Tony Ashlee" <oxalis55@pacbell.net> wrote in message
> news:87EF0ADE-E6EA-4187-AAE7-C743494840C8@microsoft.com...
> > I have an Enterprise CA installed on the same server as our RAS server.
My
> computers all have a certificate issued by the CA. Yet, I get an error
when
> attempting to use L2TP that indicates that the computer does not have a
> certificate.
> > I read what Sharoon Shetty said about "The certificate.pfx must be
> installed in personal store and certificate.cer
> > in trusted root CA. If we put certificate.cer in both places, it fails
> with the error 786." but I cannot find any pfx files anywhere. Am I
missing
> something obvious?
> >
> >
> > My Oakley log looks as follows: (I tweaked the IP addresses for
security)
> > 5-03: 12:35:14:622:3d4 constructing ISAKMP Header
> > 5-03: 12:35:14:622:3d4 constructing KE
> > 5-03: 12:35:14:622:3d4 constructing NONCE (ISAKMP)
> > 5-03: 12:35:14:622:3d4 Constructing Cert Request
> > 5-03: 12:35:14:622:3d4 DC=edu, DC=ucsd, DC=sfsnt, CN=UCSD FAO
> > 5-03: 12:35:14:622:3d4
> > 5-03: 12:35:14:622:3d4 Sending: SA = 0x03E9A200 to 132.239.230.240:Type
> 2.500
> > 5-03: 12:35:14:622:3d4 ISAKMP Header: (V1.0), len = 276
> > 5-03: 12:35:14:622:3d4 I-COOKIE 133a4fea3a07bd99
> > 5-03: 12:35:14:622:3d4 R-COOKIE 9599564dc5340ed4
> > 5-03: 12:35:14:622:3d4 exchange: Oakley Main Mode
> > 5-03: 12:35:14:622:3d4 flags: 0
> > 5-03: 12:35:14:622:3d4 next payload: KE
> > 5-03: 12:35:14:622:3d4 message ID: 00000000
> > 5-03: 12:35:14:622:3d4 Ports S:f401 D:f401
> > 5-03: 12:35:15:528:5a8 retransmit: sa = 03E9A200 centry 00000000 ,
count
> = 1
> > 5-03: 12:35:15:528:5a8
> > 5-03: 12:35:15:528:5a8 Sending: SA = 0x03E9A200 to 132.239.230.240:Type
> 2.500
> > 5-03: 12:35:15:528:5a8 ISAKMP Header: (V1.0), len = 276
> > 5-03: 12:35:15:528:5a8 I-COOKIE 133a4fea3a07bd99
> > 5-03: 12:35:15:528:5a8 R-COOKIE 9599564dc5340ed4
> > 5-03: 12:35:15:528:5a8 exchange: Oakley Main Mode
> > 5-03: 12:35:15:528:5a8 flags: 0
> > 5-03: 12:35:15:528:5a8 next payload: KE
> > 5-03: 12:35:15:528:5a8 message ID: 00000000
> > 5-03: 12:35:15:528:5a8 Ports S:f401 D:f401
> > 5-03: 12:35:17:528:5a8 retransmit: sa = 03E9A200 centry 00000000 ,
count
> = 2
> > 5-03: 12:35:17:528:5a8
> > 5-03: 12:35:17:528:5a8 Sending: SA = 0x03E9A200 to 233.223.233.240:Type
> 2.500
> > 5-03: 12:35:17:528:5a8 ISAKMP Header: (V1.0), len = 276
> > 5-03: 12:35:17:528:5a8 I-COOKIE 133a4fea3a07bd99
> > 5-03: 12:35:17:528:5a8 R-COOKIE 9599564dc5340ed4
> > 5-03: 12:35:17:528:5a8 exchange: Oakley Main Mode
> > 5-03: 12:35:17:528:5a8 flags: 0
> > 5-03: 12:35:17:528:5a8 next payload: KE
> > 5-03: 12:35:17:528:5a8 message ID: 00000000
> > 5-03: 12:35:17:528:5a8 Ports S:f401 D:f401
> > 5-03: 12:35:21:294:3d4
> > 5-03: 12:35:21:294:3d4 Receive: (get) SA = 0x03e9a200 from
> 233.223.233.240.500
> > 5-03: 12:35:21:294:3d4 ISAKMP Header: (V1.0), len = 108
> > 5-03: 12:35:21:294:3d4 I-COOKIE 133a4fea3a07bd99
> > 5-03: 12:35:21:294:3d4 R-COOKIE 9599564dc5340ed4
> > 5-03: 12:35:21:294:3d4 exchange: ISAKMP Informational Exchange
> > 5-03: 12:35:21:294:3d4 flags: 1 ( encrypted )
> > 5-03: 12:35:21:294:3d4 next payload: HASH
> > 5-03: 12:35:21:294:3d4 message ID: 9bc5a034
> > 5-03: 12:35:21:294:3d4 processing HASH (Notify/Delete)
> > 5-03: 12:35:21:294:3d4 processing payload NONCE
> > 5-03: 12:35:21:294:3d4 processing payload DELETE
> > 5-03: 12:35:21:294:3d4 SA Dead. sa:03E9A200 status:35ef
> > 5-03: 12:35:21:294:3d4 isadb_set_status sa:03E9A200 centry:00000000
> status 35ef
> > 5-03: 12:35:21:294:3d4 Key Exchange Mode (Main Mode)
> > 5-03: 12:35:21:294:3d4 Source IP Address 233.223.233.23 Source IP
> Address Mask 255.255.255.255 Destination IP Address 233.223.233.240
> Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0
> Destination Port 0 IKE Local Addr 233.223.233.23 IKE Peer Addr
> 233.223.233.240 IKE Source Port 500 IKE Destination Port 500 Peer
Private
> Addr
> > 5-03: 12:35:21:294:3d4 Certificate based Identity. Peer IP Address:
> 233.223.233.240
> > 5-03: 12:35:21:294:3d4 Me
> > 5-03: 12:35:21:294:3d4 IKE SA deleted by peer before establishment
> completed
> > 5-03: 12:35:21:294:3d4 Processed second (KE) payload Responder. Delta
> Time 7 0x0 0x0
> > 5-03: 12:35:21:294:3d4 Received reliable Notify. Messid 9bc5a034
> > 5-03: 12:35:21:294:3d4 constructing ISAKMP Header
> > 5-03: 12:35:21:294:3d4 constructing HASH (null)
> > 5-03: 12:35:21:294:3d4 constructing NONCE (ND)
> > 5-03: 12:35:21:294:3d4 constructing HASH (Notify/Delete)
> > 5-03: 12:35:21:294:3d4
> > 5-03: 12:35:21:294:3d4 Sending: SA = 0x03E9A200 to 233.223.233.240:Type
> 1.500
> > 5-03: 12:35:21:294:3d4 ISAKMP Header: (V1.0), len = 108
> > 5-03: 12:35:21:294:3d4 I-COOKIE 133a4fea3a07bd99
> > 5-03: 12:35:21:294:3d4 R-COOKIE 9599564dc5340ed4
> > 5-03: 12:35:21:294:3d4 exchange: ISAKMP Informational Exchange
> > 5-03: 12:35:21:294:3d4 flags: 1 ( encrypted )
> > 5-03: 12:35:21:294:3d4 next payload: HASH
> > 5-03: 12:35:21:294:3d4 message ID: 9bc5a034
> > 5-03: 12:35:21:294:3d4 Ports S:f401 D:f401
> > 5-03: 12:36:01:558:c70 ClearFragList
> >
>
>

Relevant Pages

  • Installing Certificate Services with winnt.sif
    ... I made a winnt.sif file that installs Windows Server 2003 Enterprise ... together with IIS and Certificate services. ... the certificate request website is not installed. ... CAMachine = gip-server ...
    (microsoft.public.windows.server.setup)
  • RE: Certificate Store access problem
    ... How is your service accessing the certificate? ... the client certificate is installed into the personal store for the ... user who installs it. ... This posting is provided “AS IS” with no warranties, and confers no rights. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Mobile 6.1 Wi-Fi Support
    ... On your device you should see WPA2-PSK and WPA2 as the encryption options. ... corporate we use WPA2 enterprise and I can connect my Touch Pro with no ... This still sounds like a certificate issue to me. ... IPS Servidores installs as a root certificate... ...
    (microsoft.public.pocketpc.wireless)
  • Re: IKE failed to find valid machine certificate (Error 786)
    ... When I go to the local computer's personal store, the certificate properties are as you describe. ... When looking at the CA Local Certficates, that computer has it's own certificate in the personal store. ... "Download a CA certificate - installs the certificate.cer in your trusted ... Now in the Trusted Root Store the certificate would not have the above ...
    (microsoft.public.win2000.ras_routing)
  • Unattended setup but certificate services doesnt install
    ... I made a winnt.sif file that installs Windows Server 2003 ... Enterprise Edition together with IIS and Certificate ... Windows Components Setup -> Select Certificate Services - ...
    (microsoft.public.windows.server.general)