Re: Wireless WPA on SBS not authenticating

Do you have ISA 2004? If so, that's what's causing the auto enrollment failures - you need to turn off strict RPC compliance in the system policies.

Have you tried booting these machines while connected to the wired network? AFAIK you have to get the certificate enrolled once over wired before it will work for wireless. What happens if you boot while connected to wired - do you still get the auto enrollment error?


"Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:7836297C-39E7-43B8-9C60-176574A64505@xxxxxxxxxxxxxxxx
I have checked a couple of user machines.. the have all failed autoenrollment
but have the cert. Here is the common error that I get:

Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b). The specified domain either does not exist or
could not be contacted.
Enrollment will not be performed.


"Dave Nickason [SBS MVP]" wrote:

When the client PC boots, does it log any auto enrollment errors in its
application log? I know you've verified the correct certificate is
installed, but that Guest thing is weird - not something I've seen before.

Do you run ISA 2004? In its default configuration, that blocks certificate
auto enrollment. I'm pretty sure the fix for that is included in Owen's
white paper.


"Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ABB41361-90AD-4DBD-B72C-DF6BAB215D1B@xxxxxxxxxxxxxxxx
> Dave,
>
> I turned both boxes on and I check my System Log and whammo.... > nothing.
> Guess that means im not gettin anything so it must be my client or > router.
> I
> did get this error in the Application log though
>
> From IAS:
> The description for Event ID ( 2 ) in Source ( IAS ) cannot be found. > The
> local computer may not have the necessary registry information or > message
> DLL
> files to display messages from a remote computer. You may be able to > use
> the
> /AUXSOURCE= flag to retrieve this description; see Help and Support for
> details. The following information is part of the event: %%2147483686,
> MCCOYSALES\Guest, 10.10.0.115, 001d7ea04513, 001d7ea04513, > 001d604008fa,
> LinksysAP, 10.10.0.115, Wireless - IEEE 802.11, 50, Use Windows
> authentication for all users, %%2147483688, %%2147483685, %%2147483685,
> EAP,
> %%2147483685, 34, %%4130.
>
> The part i noticed was the "MCCOYSALES\Guest 10.10.0.115" which is my
> domain
> and AP but its under guest, i dont really know why it would tag that AP
> with
> guest but ??? either way thanks for the quick reply, still dissecting > the
> issue
>
> Noncentz
>
> "Dave Nickason [SBS MVP]" wrote:
>
>> Go into IAS and at the top left, r-click "Internet Authentication >> Service
>> (Local)" -> Properties. Check the two boxes to enable success and
>> failure
>> logging. After a login attempt fails, check the System log on the SBS >> to
>> see if IAS logged the connection attempt. If so, you might get some >> help
>> from the log entry. If not, it's probably a configuration issue on >> the
>> client PC or the router.
>>
>> Everything needs to match exactly - for example, WPA and WPA2 are not
>> interchangeable, nor are TKIP and AES. I can't remember the details >> now,
>> but I had a WAP setting relating to security that appeared to match
>> everything else but did not. If you're following Owen's document
>> exactly,
>> just make sure that everything is set to WPA, and to TKIP. If you >> have a
>> choice, you need WPA Enterprise, not WPA with PSK.
>>
>> Failing that, you could try updating the NIC drivers on the wireless
>> client,
>> and also maybe trying a different wireless client or NIC. I've had >> some
>> weird authentication issues with Intel wireless NICs, sometimes helped >> by
>> a
>> driver update, but I did have to replace one. You can try disabling >> all
>> the
>> security to make sure the client can associate with the WAP, but I've >> had
>> one instance where it would connect without security but not with, and
>> that's the one where I had to replace the NIC.
>>
>>
>> "Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:4E5A2561-E4C8-4AB5-9D27-CA8F92522140@xxxxxxxxxxxxxxxx
>> > Morning,
>> >
>> > I am trying to configure an Cisco 1200AP and a Linksys WRT54G to >> > work
>> > with
>> > certificates. I followed this guide to perfection that I was given
>> > earlier.
>> >
>> > http://home.comcast.net/~clearviewtc/
>> >
>> > It was a great guide and helped immensly with my implementation. I >> > did
>> > the
>> > following:
>> >
>> > Installed an configured Certification Authority
>> > Installed Internet Auth Service
>> > Defined my RADUIS Clients and Access Policy for Wireless
>> > I created a wireless group and a wireless GPO
>> > GPO consisting of Autoenrollment for "Computer" Certificates
>> > I set my gpo so that it only authenticates Computer Certs / TKIP/ >> > WPA
>> > I can see on a client machine that the cert is there and it is the
>> > correct
>> > cert
>> >
>> > ---- But naturally when I go to connect to the Network with a client
>> > device
>> > I get no luck... just says Validating Identity -----
>> >
>> > Im guess im frustrated because I can see where I went wrong on with
>> > this
>> > guide, Im working with my linksys now and still no luck, any good
>> > guides
>> > to
>> > peap maybe?
>> >
>> > Noncentz
>> >
>> > Any help would be greatly appreciated
>> >
>> >
>> >
>> >
>> >
>>


.

Relevant Pages

  • Re: Wireless WPA on SBS not authenticating
    ... I manually updated the cert on my client machine just fine. ... Automatic certificate enrollment for local system failed to contact the ... Enrollment will not be performed. ... certificate then tested on wireless. ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless connection problem from XP Pro SP2 to SBS 2003
    ... As long as you're sure the certificate is properly installed on the PC, I guess the priority would be to get wireless working, then worry about the auto enrollment later. ... compare all the settings between the non-working PC and the one that works. ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless connection problem from XP Pro SP2 to SBS 2003
    ... wireless NIC driver, ... But none of this gets to why the auto enrollment is failing. ... If IAS is logging failure, you're probably back to the certificate, or you ... However, that said, in the interest of getting the workstation connected, ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless WPA on SBS not authenticating
    ... Automatic certificate enrollment for local system failed to contact the ... Guess that means im not gettin anything so it must be my client or router. ... Everything needs to match exactly - for example, WPA and WPA2 are not ... you could try updating the NIC drivers on the wireless ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless WPA on SBS not authenticating
    ... Automatic certificate enrollment for local system failed to contact the ... Guess that means im not gettin anything so it must be my client or router. ... you could try updating the NIC drivers on the wireless ... I can see on a client machine that the cert is there and it is the ...
    (microsoft.public.windows.server.sbs)