Re: Wireless WPA on SBS not authenticating

I'm not sure if auto enrollment needs to be working or not. Logically, it
seems that just having the cert would be enough. But, if you're having
enrollment errors, you could be having something else, such as group
policies not applying.

I'd go back and recheck all your settings against those in the document.
That Guest thing is an error, as the authentication is supposed to happen at
the computer level, not the user.


"Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DC0555D8-2B0C-42D7-B4B0-548D2D76065E@xxxxxxxxxxxxxxxx
Actually that is where I got the idea to add the Domain Controllers to the
CERTSVC_DCOM_ACCESS group. I cant see if the domain machines are running
autoenrollment correctly though because I cant reenroll all certificate
holders, its not allowed for some reason and thats the template im using.
Do
the autoenrollment settings have to do anything with auth once the
machine
has a good cert. I manually updated the cert on my client machine just
fine.

"Dave Nickason [SBS MVP]" wrote:

Have you checked eventid.net for that error?

http://eventid.net/display.asp?eventid=15&eventno=1397&source=AutoEnrollment&phase=1

"Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7673B7BF-6EFE-4CF1-BB23-D974C882A1A3@xxxxxxxxxxxxxxxx
I do not have ISA 2004 although I wish I had..... The autoenrollment
error
I
get though "error 15"

Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b). The specified domain either does not
exist
or
could not be contacted. Enrollment will not be performed.

Which ive been told to be a DNS error although ive about ruled that
out.
All
the test equipment I have is also connected to the Wired Lan to recieve
the
certificate then tested on wireless. I did read this error though

-------------------------------------------------
From a newsgroup post:
"Based on my research, when you install a CA, on a machine that is
running
Windows 2003, it should automatically create a group called
CERTSVC_DCOM_ACCESS and enroll all the domain controllers as members of
this
group. I suspect that this was not happening and hence the auto
enrollment
was failing. At this point, I suggest you run the following command on
the
problematic Windows 2003 Server:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG.
After this stop and start the certsvr service by using the following
commands:
net stop certsvc
net start certsvr
The steps above will create the group and then you can add the DCs as
members of the group. If the group already exists, then simply add the
DCs
as
members of the group".
--------------------------------------------------
So what I have done is to find that group and add my domain Controllers
to
the group. But I cant quite test yet because I dont know how to force a
machine to update its certification. I will let u know

"Dave Nickason [SBS MVP]" wrote:

Do you have ISA 2004? If so, that's what's causing the auto
enrollment
failures - you need to turn off strict RPC compliance in the system
policies.

Have you tried booting these machines while connected to the wired
network?
AFAIK you have to get the certificate enrolled once over wired before
it
will work for wireless. What happens if you boot while connected to
wired -
do you still get the auto enrollment error?


"Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7836297C-39E7-43B8-9C60-176574A64505@xxxxxxxxxxxxxxxx
I have checked a couple of user machines.. the have all failed
autoenrollment
but have the cert. Here is the common error that I get:

Automatic certificate enrollment for local system failed to contact
the
active directory (0x8007054b). The specified domain either does not
exist
or
could not be contacted.
Enrollment will not be performed.


"Dave Nickason [SBS MVP]" wrote:

When the client PC boots, does it log any auto enrollment errors in
its
application log? I know you've verified the correct certificate is
installed, but that Guest thing is weird - not something I've seen
before.

Do you run ISA 2004? In its default configuration, that blocks
certificate
auto enrollment. I'm pretty sure the fix for that is included in
Owen's
white paper.


"Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ABB41361-90AD-4DBD-B72C-DF6BAB215D1B@xxxxxxxxxxxxxxxx
Dave,

I turned both boxes on and I check my System Log and whammo....
nothing.
Guess that means im not gettin anything so it must be my client
or
router.
I
did get this error in the Application log though

From IAS:
The description for Event ID ( 2 ) in Source ( IAS ) cannot be
found.
The
local computer may not have the necessary registry information or
message
DLL
files to display messages from a remote computer. You may be able
to
use
the
/AUXSOURCE= flag to retrieve this description; see Help and
Support
for
details. The following information is part of the event:
%%2147483686,
MCCOYSALES\Guest, 10.10.0.115, 001d7ea04513, 001d7ea04513,
001d604008fa,
LinksysAP, 10.10.0.115, Wireless - IEEE 802.11, 50, Use Windows
authentication for all users, %%2147483688, %%2147483685,
%%2147483685,
EAP,
%%2147483685, 34, %%4130.

The part i noticed was the "MCCOYSALES\Guest 10.10.0.115" which
is
my
domain
and AP but its under guest, i dont really know why it would tag
that
AP
with
guest but ??? either way thanks for the quick reply, still
dissecting
the
issue

Noncentz

"Dave Nickason [SBS MVP]" wrote:

Go into IAS and at the top left, r-click "Internet
Authentication
Service
(Local)" -> Properties. Check the two boxes to enable success
and
failure
logging. After a login attempt fails, check the System log on
the
SBS
to
see if IAS logged the connection attempt. If so, you might get
some
help
from the log entry. If not, it's probably a configuration issue
on
the
client PC or the router.

Everything needs to match exactly - for example, WPA and WPA2
are
not
interchangeable, nor are TKIP and AES. I can't remember the
details
now,
but I had a WAP setting relating to security that appeared to
match
everything else but did not. If you're following Owen's
document
exactly,
just make sure that everything is set to WPA, and to TKIP. If
you
have a
choice, you need WPA Enterprise, not WPA with PSK.

Failing that, you could try updating the NIC drivers on the
wireless
client,
and also maybe trying a different wireless client or NIC. I've
had
some
weird authentication issues with Intel wireless NICs, sometimes
helped
by
a
driver update, but I did have to replace one. You can try
disabling
all
the
security to make sure the client can associate with the WAP, but
I've
had
one instance where it would connect without security but not
with,
and
that's the one where I had to replace the NIC.


"Noncentz" <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4E5A2561-E4C8-4AB5-9D27-CA8F92522140@xxxxxxxxxxxxxxxx
Morning,

I am trying to configure an Cisco 1200AP and a Linksys WRT54G
to
work
with
certificates. I followed this guide to perfection that I was
given
earlier.

http://home.comcast.net/~clearviewtc/

It was a great guide and helped immensly with my
implementation.
I
did
the
following:

Installed an configured Certification Authority
Installed Internet Auth Service
Defined my RADUIS Clients and Access Policy for Wireless
I created a wireless group and a wireless GPO
GPO consisting of Autoenrollment for "Computer" Certificates
I set my gpo so that it only authenticates Computer Certs /
TKIP/
WPA
I can see on a client machine that the cert is there and it is
the
correct
cert

---- But naturally when I go to connect to the Network with a
client
device
I get no luck... just says Validating Identity -----

Im guess im frustrated because I can see where I went wrong on
with
this
guide, Im working with my linksys now and still no luck, any
good
guides
to
peap maybe?

Noncentz

Any help would be greatly appreciated











.

Relevant Pages

  • Re: Wireless WPA on SBS not authenticating
    ... I manually updated the cert on my client machine just fine. ... Automatic certificate enrollment for local system failed to contact the ... Enrollment will not be performed. ... certificate then tested on wireless. ...
    (microsoft.public.windows.server.sbs)
  • Re: Radius Server
    ... > so I'm guessing the client needs the Server Certificate, ... > export it from the server and import it to the client. ... >> But if you deployed EAP-TLS, you need a server cert and a client ...
    (microsoft.public.windows.server.networking)
  • Re: OWA Form Resetting
    ... Depends on the client browsers... ... The reason why you are getting alerts regarding the certificate being ... both the ISA server computer as well as the external ... I can view the cert and the certs ...
    (microsoft.public.isa)
  • Re: Missing Event IDs and Errors following DCPROMO
    ... The cert enrollment issue was resolved by adding the domain controller group ... Update certificate that use certificate templates ...
    (microsoft.public.windows.server.active_directory)
  • Re: Wireless WPA on SBS not authenticating
    ... Automatic certificate enrollment for local system failed to contact the ... Enrollment will not be performed. ... certificate then tested on wireless. ... client PC or the router. ...
    (microsoft.public.windows.server.sbs)