Re: Wireless connection problem from XP Pro SP2 to SBS 2003

You weren't the one who originally configured this wireless, right? I would compare all the settings between the non-working PC and the one that works. It would be helpful to know how the original configuration was applied. If it was group policy, you can run RSOP.msc on both the working and non-working machines, and compare the settings under Computer Configuration -> Windows Settings -> Security Settings - check the Wireless Network and Public Key policies. Either in group policy, or manually configured settings, just make sure that everything matches between the two machines. (Of course the group policies would match between the machines, unless the problem machine is not applying the policy for some reason).

What's doing the authentication? IAS? If so, open Internet Authentication Service on the SBS. R-click the top item in the left pane -> Properties. Turn on logging for success and failure. Try to log in, and see if IAS logs anything. (You'll want to turn success logging off after diagnosing this to avoid overwhelming your system log).

Assuming all the settings are the same, and also assuming IAS isn't logging anything, you can pretty well blame hardware for this. It could be the wireless NIC driver, or the wireless NIC itself. The one time I had a wireless NIC fail, it would authenticate successfully maybe one time in a hundred - intermittent wireless failures are just about always hardware related (including drivers). The other thing to test hardware would be to see if you can connect to an unsecured network. However, I've seen one instance where a failing wireless NIC would connect to an open network but would not work with certificate-based authentication.

I'd try updating the driver. If that doesn't help, can you come up with another wireless card to try on that machine? I bought a cheap USB one just for diagnostic purposes, or maybe you could swap the one from the working machine and see if that helps.

But none of this gets to why the auto enrollment is failing. I'm sure we've already talked about this, but you've verified that auto enrollment fails over a wired connection, right? If it weren't for the auto enrollment error, and assuming matching configurations between the working and non-working machines, I'd be confident in blaming hardware.

If IAS is logging failure, you're probably back to the certificate, or you might get some other useful information from the log event.

Some resources:

Troubleshooting IEEE 802.11 Wireless Access with Microsoft Windows
http://technet.microsoft.com/en-us/library/bb457017.aspx

Windows Server 2003 Wireless Troubleshooting
http://technet.microsoft.com/en-us/library/cc773359.aspx

A Support Guide for Wireless Diagnostics and Troubleshooting (I've done the eapol logging thing, etc. from this one. It made me wish I had taken the day off to get a root canal instead).
http://technet.microsoft.com/en-us/library/bb457018.aspx




"Cuervolush" <Cuervolush@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:208B5A0B-3C96-42E3-8FCF-74D66D7669BE@xxxxxxxxxxxxxxxx
Been busy doing service the last couple days but I have a little time to
revisit this problem today.

Yes, AE was still failing after setting NLA auto and Windows Firewall was
always using domain settings I believe.

Remote Registry is turned on and automatic on this PC. Ipconfig /all shows
the correct domain and DNS server and the only error I'm getting in the logs
is the Autoenrollment failure.

I went to the working PC and grabbed the certificate and installed it on
this PC. Unfortunately that didn't fix the problem, however now if the
wireless is enabled on boot up the PC takes a really long time at the
"preparing network connections" before it loads the desktop. If I disable the
wireless and reboot it starts up normally - but I still get the autoenroll
failure at every boot up.

Any ideas?

Thanks for the help!

"Dave Nickason [SBS MVP]" wrote:

You did check that auto enrollment is still failing after setting NLA to
automatic, right? If before you made that change, the firewall was using
the non-domain settings, that could have been what was doing the blocking.
Firewall blocking enrollment would have been my first guess, ISA second, but
you've got both of those ruled out now.

Just out of curiosity, is the Remote Registry service running on the client
PC? I've seen RPC failures with that turned off, not in this context and I
kind of doubt it's related, but worth a quick look.

You're sure the workstation is properly joined to the domain, and in
ipconfig /all, it's pointing to the SBS for DNS? No other errors in the
logs?

I do think you should troubleshoot and repair the auto enrollment issue.
However, that said, in the interest of getting the workstation connected,
can you export the cert from the working PC and import it to the non-working
one? If you open Internet Options -> Content Tab -> Certificates, you
should be able to see the cert in Trusted Root Certification Authorities.
Export to a USB key or whatever, then just import it on the other PC by
r-clicking the exported file and choosing Install (or similar). Make sure
to manually choose to put it in Trusted Root Certification Authorities.



"Cuervolush" <Cuervolush@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:674A8D40-8A7F-4E90-AE85-FF58BBD39E37@xxxxxxxxxxxxxxxx
> Looked in the ISA console and "Enforce strict RPC compliance" is not
> checked,
> "enable" is checked.
>
> I will look through the link you've provided and see if I can find a
> similar
> issue.
>
> "Dave Nickason [SBS MVP]" wrote:
>
>> See if there's any help here
>> http://eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1.
>>
>> Also, on the SBS, open the ISA console. In the left pane, r-click
>> Firewall
>> Policy and choose Edit System Policy. In the resulting window, find
>> Authentication Services in the left pane, and under that, choose >> Active
>> Directory. Is the box called "Enforce strict RPC compliance" checked?
>> If
>> so, uncheck it and click the Apply button at the top of the console. >> The
>> "Enable" box should be left checked.
>>
>> Strict RPC compliance will block certificate auto enrollment, so that
>> could
>> be part of the problem if it's checked. If so, after making the >> change,
>> reboot the workstation and see if you still get the error.
>>
>> Normally, I'd think having a working workstation would rule that out.
>> However, since others have been involved in the configuration of this
>> network, I'm thinking that one of them may have manually installed the
>> certificate on the working workstation, or that they enabled strict >> RPC
>> compliance after that workstation was configured.
>>
>>
>>
>> "Cuervolush" <Cuervolush@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:02C0BA16-3DDB-45FF-8DE8-1FB93E25A621@xxxxxxxxxxxxxxxx
>> > Hi Dave
>> >
>> > I've checked in CP -> Windows Firewall but there is no properties, >> > just
>> > a
>> > General, Exceptions, and Advanced tab. No where on any of these >> > screens
>> > do
>> > I
>> > see it say Domain or Non-Domain. NLA was started but Manual, so I >> > went
>> > ahead
>> > and made it automatic anyway and rebooted without success.
>> >
>> > I just now found out that we are indeed running ISA, however we do >> > have
>> > a
>> > workstation in the office that is running wirelessly correctly.
>> >
>> >
>> > "Dave Nickason [SBS MVP]" wrote:
>> >
>> >> Please go to CP -> Windows Firewall and open the properties. At >> >> the
>> >> bottom
>> >> of the first tab, does it say it's using your Domain or Non-Domain
>> >> settings?
>> >> If non-domain, please set the Network Location Awareness service to
>> >> Automatic startup and reboot the workstation.
>> >>
>> >> Do you have other wireless computers that are functioning as >> >> expected?
>> >> If
>> >> so, please resist the temptation to mess with anything on the >> >> server.
>> >> It
>> >> appears that auto-enrollment is failing on that one PC, which is
>> >> almost
>> >> certainly not a server or CA issue.
>> >>
>> >> Are you running ISA? That can prevent auto-enrollment, and the fix >> >> is
>> >> to
>> >> disable strict RPC compliance. Post back if you need more info on
>> >> doing
>> >> that (and note it would only apply if there are no PCs where auto
>> >> enrollment
>> >> is working).
>> >>
>> >> "Cuervolush" <Cuervolush@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in >> >> message
>> >> news:01A6F8E8-6FC8-4E83-89F1-62177BDE0DFE@xxxxxxxxxxxxxxxx
>> >> > Our office is running SBS2003 and we recently had to rebuild a
>> >> > workstation. After the rebuild, I can no longer connect >> >> > wirelessly
>> >> > to
>> >> > the server. In Event Viewer I get the following:
>> >> >
>> >> > Autoenrollment | Event 13
>> >> >
>> >> > Automatic Certificate Enrollment for local system failed to >> >> > enroll
>> >> > for one Computer certificate. (0x800706ba). The RPC Server is
>> >> > unavailable.
>> >> >
>> >> > The wireless connection continuously tries to log in but comes >> >> > back
>> >> > with
>> >> > status: Authentication Failed.
>> >> >
>> >> > I've searched a bunch of places with this error but haven't been
>> >> > able
>> >> > to find an identical issue with a solution.
>> >> >
>> >> > Unfortunately I did not set this server up, and have somewhat
>> >> > limited
>> >> > knowledge on the server side of things but know enough to be
>> >> > dangerous. Any help would be much appreciated and I would be >> >> > happy
>> >> > to
>> >> > provide any more information that would help in solving this
>> >> > problem.
>> >> >
>> >> > Thanks
>> >> >
>> >>
>> >>
>>
>>



.

Loading