Re: NAP IPsec with HRA problem
- From: "Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Apr 2009 23:10:02 -0400
"aconti" <aconti.3qm27e@xxxxxxxxxxxxx> wrote in message news:aconti.3qm27e@xxxxxxxxxxxxxxxx
Hello I have tried to configure NAP with HRA between 2 pcs joined to a
DC. The DC has the NAP, HRA and enterprise CA all installed and
configure hopefully properly. However I cannot establish communication
between the 2 pcs using IPSEC. The error I get when I try to browse the
other pc is IPsec authentication using a certificate failed, A valid
certificate for authentication was not found on this computer. I know
that if they fail the health policy required by the NPS policy SHV's
they won't get the certificate but nothing is being logged in the event
viewer on the NAP server as regards this problem so I cannot find where
is the problem. Can someone pls help or direct me to a website which has
easy steps to configure this properly.
Hello Aconti,
Is this a continuation of your other thread?
If the error says the certificate can't be found, have you tried manually installing this specific certificate on the computers just to test it? How about eliminating the cert for a test, and just use a simple password on both the DC and the client machine. Confirm it works, then go back to the certificate issue. This way you can establish at least an IPSec policy is being applied.
As for the DC GPO, I would suggest to leave the default GPOs alone and create a separate GPO for the IPSec policy.
As for logging, you would need to first configure it in the reg. The following article shows how to.
How do I enable debug logging for IPSec?
http://windowsitpro.com/article/articleid/15321/how-do-i-enable-debug-logging-for-ipsec.html
The following links should help you troubleshoot it. Try the IPSec diag too, it shows you exactly what is occuring during the connection. You can use the sakmp.log and PPP logs to troubleshoot (read article below). I mentioned and posted them before in your other thread, but I will post them here again for your convenience.
Otherwise, based on the error message, I would suggest to possibly create an autoenrollment GPO and the computers will automatically pick up the cert based on the group (user or computer) that you allow to get the cert.
This tool should show you if the SA portion is being established or not:
Microsoft IPsec Diagnostic Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=1d4c292c-7998-42e4-8786-789c7b457881&displaylang=en
Administrator's Guide to Microsoft L2TP/IPSec VPN Client
http://technet.microsoft.com/en-us/library/bb742553.aspx
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
.
- Follow-Ups:
- Re: User authentication IPsec
- From: aconti
- Re: User authentication IPsec
- References:
- NAP IPsec with HRA problem
- From: aconti
- NAP IPsec with HRA problem
- Prev by Date: Re: local admin issues
- Next by Date: Re: local admin issues
- Previous by thread: NAP IPsec with HRA problem
- Next by thread: Re: User authentication IPsec
- Index(es):
Relevant Pages
|
Loading
