Discussion:
IAS certificate needs reloaded on DC every day
(too old to reply)
Library Sysadmin
2008-08-28 15:39:01 UTC
Permalink
Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.

I'm setting up IAS to authenticate wireless devices and not having much
success, so far.

Following serveral pieces of documentation, while logged in as the domain
admin on the DCs, I requested a certificate from the CA, installing it into
the Personal Certificates store. I then used this cert with IAS in the
Remote Access Policy I've configured, with the PEAP authentication
configuration.

As I've been trying to get the whole RADIUS authentication process to work,
I keep rechecking configurations and I have found that every day I have to
reload the certificate on the DCs.

The certificate is valid and doesn't expire until August, 2009. It displays
on the CA as an Issued Certificate. I've already tried revoking one and
creating a second one and using that in the IAS config, but the same thing is
happening.

How do you get the cert installed without having to reload it every day?

TIA
Rick
James McIllece [MS]
2008-08-28 20:18:33 UTC
Permalink
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.
I'm setting up IAS to authenticate wireless devices and not having
much success, so far.
Following serveral pieces of documentation, while logged in as the
domain admin on the DCs, I requested a certificate from the CA,
installing it into the Personal Certificates store. I then used this
cert with IAS in the Remote Access Policy I've configured, with the
PEAP authentication configuration.
As I've been trying to get the whole RADIUS authentication process to
work, I keep rechecking configurations and I have found that every day
I have to reload the certificate on the DCs.
The certificate is valid and doesn't expire until August, 2009. It
displays on the CA as an Issued Certificate. I've already tried
revoking one and creating a second one and using that in the IAS
config, but the same thing is happening.
How do you get the cert installed without having to reload it every day?
TIA
Rick
Hi Rick --

I'm curious about what docs you used to create your certs and enroll them
to IAS servers/DCs -- can you provide links to the docs or, if they're Help
topics, topic titles?

I also don't think I understand the situation -- are you saying that after
you have issued server certificates to the IAS servers, the certificates
are then deleted the next day from the Personal certificate store for both
the Local Computer and the Current User on the IAS servers? Or are you
saying the certs are there but they won't work?

You say that you requested a certificate for the IAS servers -- I am
assuming you did this using the certificates snap-in, is that correct? If
so, the certificate isn't going to work for IAS authentication purposes --
you must configure a certificate template and then enroll the cert to
servers. Did you configure a certificate template (in the Certificate
Templates MMC on the CA) based on the minimum server certificate
requirements detailed in the IAS Help?


*******
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Library Sysadmin
2008-08-28 21:27:01 UTC
Permalink
These are a few of the documents I've been trying to follow to get IAS
working with wireless clients. Most of them contain the steps for
creating/installing the cert on the IAS server.

http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://articles.techrepublic.com.com/5100-10878_11-6148560.html
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#inst2003
Securing Wireless LANs with PEAP and Passwords (pdf) file downloaded and
extracted from MS site.

Basically, I logged on the DC as the domain admin;
Opened MMC and Add Snap-In Certificates -> Local Computer
Expanded Personal -> Certificates (there are 2 certs already there, but
neither are recognized in IAS as ones that can be used);
Right click -> All Tasks -> Request New Certificate;
Complete the wizard using the Domain Controller template;
Certificate request completed, certificate issued from CA and installed in
Personal Ceritificates store - valid until August 2009.
Save and exit.
IAS configuration can use this certificate with PEAP configuration.

Note that Group Policy -> Default Domain Policy was configured for
AutoEnrollment and the CA is listed in the Trusted Root Cert Authorities.
Verified that this is in the Trusted Root Certificates Authority of the DC
while having the Certificates MMC open. Valid until 2012.

Come back in tomorrow;
Open IAS. Drill back down through the config again, but when editing PEAP
get an error box saying there is no matching certificate.
Close all this.
Open MMC -> Certificates (previously saved)
The Personal -> Certificates store lists only the original 2 certificates.
The newly created/issued cert is not there.
Click on import and pull it in again (have exported the .cer file from the
CA into a network folder)
Save and close.
Repeat each step the next day.

Rick
Post by James McIllece [MS]
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.
I'm setting up IAS to authenticate wireless devices and not having
much success, so far.
Following serveral pieces of documentation, while logged in as the
domain admin on the DCs, I requested a certificate from the CA,
installing it into the Personal Certificates store. I then used this
cert with IAS in the Remote Access Policy I've configured, with the
PEAP authentication configuration.
As I've been trying to get the whole RADIUS authentication process to
work, I keep rechecking configurations and I have found that every day
I have to reload the certificate on the DCs.
The certificate is valid and doesn't expire until August, 2009. It
displays on the CA as an Issued Certificate. I've already tried
revoking one and creating a second one and using that in the IAS
config, but the same thing is happening.
How do you get the cert installed without having to reload it every day?
TIA
Rick
Hi Rick --
I'm curious about what docs you used to create your certs and enroll them
to IAS servers/DCs -- can you provide links to the docs or, if they're Help
topics, topic titles?
I also don't think I understand the situation -- are you saying that after
you have issued server certificates to the IAS servers, the certificates
are then deleted the next day from the Personal certificate store for both
the Local Computer and the Current User on the IAS servers? Or are you
saying the certs are there but they won't work?
You say that you requested a certificate for the IAS servers -- I am
assuming you did this using the certificates snap-in, is that correct? If
so, the certificate isn't going to work for IAS authentication purposes --
you must configure a certificate template and then enroll the cert to
servers. Did you configure a certificate template (in the Certificate
Templates MMC on the CA) based on the minimum server certificate
requirements detailed in the IAS Help?
*******
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
James McIllece [MS]
2008-08-29 18:03:56 UTC
Permalink
Hi Rick --

The problem is that you need to configure the correct certificate template
(not the Domain Controller template) following the minimum server
certificate requirements.

All of the information you need to select the correct template and to
configure the template are found in the Help topic "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at http://technet.microsoft.com/en-us/library/cc759575.aspx.

That topic has the following sections:
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services

A few sections below "Certificate-based authentication and wireless
clients," you'll find a table that allows you to select the correct
template.

In "Certificate requirements for EAP" you'll find the information to
configure the template.


*********************
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.


=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
These are a few of the documents I've been trying to follow to get IAS
working with wireless clients. Most of them contain the steps for
creating/installing the cert on the IAS server.
http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://articles.techrepublic.com.com/5100-10878_11-6148560.html
http://www.cisco.com/en/US/products/ps6366/products_configuration_examp
le09186a0080921f67.shtml#inst2003 Securing Wireless LANs with PEAP and
Passwords (pdf) file downloaded and extracted from MS site.
Basically, I logged on the DC as the domain admin;
Opened MMC and Add Snap-In Certificates -> Local Computer
Expanded Personal -> Certificates (there are 2 certs already there,
but neither are recognized in IAS as ones that can be used);
Right click -> All Tasks -> Request New Certificate;
Complete the wizard using the Domain Controller template;
Certificate request completed, certificate issued from CA and
installed in Personal Ceritificates store - valid until August 2009.
Save and exit.
IAS configuration can use this certificate with PEAP configuration.
Note that Group Policy -> Default Domain Policy was configured for
AutoEnrollment and the CA is listed in the Trusted Root Cert
Authorities. Verified that this is in the Trusted Root Certificates
Authority of the DC while having the Certificates MMC open. Valid
until 2012.
Come back in tomorrow;
Open IAS. Drill back down through the config again, but when editing
PEAP get an error box saying there is no matching certificate.
Close all this.
Open MMC -> Certificates (previously saved)
The Personal -> Certificates store lists only the original 2
certificates. The newly created/issued cert is not there.
Click on import and pull it in again (have exported the .cer file from
the CA into a network folder)
Save and close.
Repeat each step the next day.
Rick
Post by James McIllece [MS]
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.
I'm setting up IAS to authenticate wireless devices and not having
much success, so far.
Following serveral pieces of documentation, while logged in as the
domain admin on the DCs, I requested a certificate from the CA,
installing it into the Personal Certificates store. I then used
this cert with IAS in the Remote Access Policy I've configured,
with the PEAP authentication configuration.
As I've been trying to get the whole RADIUS authentication process
to work, I keep rechecking configurations and I have found that
every day I have to reload the certificate on the DCs.
The certificate is valid and doesn't expire until August, 2009. It
displays on the CA as an Issued Certificate. I've already tried
revoking one and creating a second one and using that in the IAS
config, but the same thing is happening.
How do you get the cert installed without having to reload it every day?
TIA
Rick
Hi Rick --
I'm curious about what docs you used to create your certs and enroll
them to IAS servers/DCs -- can you provide links to the docs or, if
they're Help topics, topic titles?
I also don't think I understand the situation -- are you saying that
after you have issued server certificates to the IAS servers, the
certificates are then deleted the next day from the Personal
certificate store for both the Local Computer and the Current User on
the IAS servers? Or are you saying the certs are there but they won't
work?
You say that you requested a certificate for the IAS servers -- I am
assuming you did this using the certificates snap-in, is that
correct? If so, the certificate isn't going to work for IAS
authentication purposes -- you must configure a certificate template
and then enroll the cert to servers. Did you configure a certificate
template (in the Certificate Templates MMC on the CA) based on the
minimum server certificate requirements detailed in the IAS Help?
*******
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
Library Sysadmin
2008-08-29 20:31:00 UTC
Permalink
James,

I have to admit that I'm really confused, now.
This is the first thing I've seen or read that says the certificate for the
IAS server needs to use the RAS and IAS template for setting up the wireless
client authentication.

In any event, I followed the link.
Reading through the part on Certificate based authentication and wireless
clients, then the chart at the bottom says that the RAS and IAS Server
Certificate is preferred and the preferred method of installing is through
autoenrollment. I also followed the procedures about opening the RAS and IAS
Server Template and setting the Security tab permissions to Read, Enroll and
AutoEnroll for the RAS and IAS Security Group - of which the domain
controllers are members.

Using Group Policy, I opened the Default Domain Controller OU, then edit
Computer Config -> Windows Settings -> Security Settings -> Public Key
Policies -> Automatic Certificate Request Settings. When I try to create a
new request, the only templates available are Computer, Domain Controller,
Enrollment Agent (Computer) and IPSEC. No RAS and IAS Server template and I
also note that only Computer and Domain Controller templates are intended for
Client and Server Authentication.

Closing that, I log on to the domain controller and open Certificates
(local) and expand Personal -> Certificates. Start the Request New
Certificate dialog and the only templates available are Directory Email
Replication, Domain Controller and Domain Controller Authentication. Again,
no RAS and IAS Server template. Also of note is that the Certificates MMC ->
Personal -> Certificates already lists issued/installed certs for Directory
Email Replication and Domain Controller Authentication, neither of which IAS
recognizes as being valid for PEAP configuration.

Also tried the Web based enrollment. The RAS and IAS Server template is not
available through this method, either.

Kind of stuck at this point.
Brain dead, too. I didn't think the RADIUS setup looked to difficult to set
up, but this just isn't working for wireless authentication through a
controller.
Post by James McIllece [MS]
Hi Rick --
The problem is that you need to configure the correct certificate template
(not the Domain Controller template) following the minimum server
certificate requirements.
All of the information you need to select the correct template and to
configure the template are found in the Help topic "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at http://technet.microsoft.com/en-us/library/cc759575.aspx.
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services
A few sections below "Certificate-based authentication and wireless
clients," you'll find a table that allows you to select the correct
template.
In "Certificate requirements for EAP" you'll find the information to
configure the template.
*********************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Library Sysadmin
2008-08-30 14:30:01 UTC
Permalink
James,

I changed the CA and added the RAS and IAS template so it could be issued.
I've changed the IAS configuration for the wireless client Remote Access
Policy with a cert issued using this template.
The machine authenticates, now, but when the user attempts a login a message
is displayed saying that the domain is not available.

Also, the original problem that I described - about the certificate not
being retained in IAS config... I believe that what was wrong is that these
changes are saved in the profile's Local Settings and this is a roaming
profile. With 2003, Local Settings are not being written back to the roaming
profile, so these are gone each time you log in. I am correcting this
situation.

Rick
Post by James McIllece [MS]
Hi Rick --
The problem is that you need to configure the correct certificate template
(not the Domain Controller template) following the minimum server
certificate requirements.
All of the information you need to select the correct template and to
configure the template are found in the Help topic "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at http://technet.microsoft.com/en-us/library/cc759575.aspx.
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services
A few sections below "Certificate-based authentication and wireless
clients," you'll find a table that allows you to select the correct
template.
In "Certificate requirements for EAP" you'll find the information to
configure the template.
*********************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
These are a few of the documents I've been trying to follow to get IAS
working with wireless clients. Most of them contain the steps for
creating/installing the cert on the IAS server.
http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://articles.techrepublic.com.com/5100-10878_11-6148560.html
http://www.cisco.com/en/US/products/ps6366/products_configuration_examp
le09186a0080921f67.shtml#inst2003 Securing Wireless LANs with PEAP and
Passwords (pdf) file downloaded and extracted from MS site.
Basically, I logged on the DC as the domain admin;
Opened MMC and Add Snap-In Certificates -> Local Computer
Expanded Personal -> Certificates (there are 2 certs already there,
but neither are recognized in IAS as ones that can be used);
Right click -> All Tasks -> Request New Certificate;
Complete the wizard using the Domain Controller template;
Certificate request completed, certificate issued from CA and
installed in Personal Ceritificates store - valid until August 2009.
Save and exit.
IAS configuration can use this certificate with PEAP configuration.
Note that Group Policy -> Default Domain Policy was configured for
AutoEnrollment and the CA is listed in the Trusted Root Cert
Authorities. Verified that this is in the Trusted Root Certificates
Authority of the DC while having the Certificates MMC open. Valid
until 2012.
Come back in tomorrow;
Open IAS. Drill back down through the config again, but when editing
PEAP get an error box saying there is no matching certificate.
Close all this.
Open MMC -> Certificates (previously saved)
The Personal -> Certificates store lists only the original 2
certificates. The newly created/issued cert is not there.
Click on import and pull it in again (have exported the .cer file from
the CA into a network folder)
Save and close.
Repeat each step the next day.
Rick
Post by James McIllece [MS]
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.
I'm setting up IAS to authenticate wireless devices and not having
much success, so far.
Following serveral pieces of documentation, while logged in as the
domain admin on the DCs, I requested a certificate from the CA,
installing it into the Personal Certificates store. I then used
this cert with IAS in the Remote Access Policy I've configured,
with the PEAP authentication configuration.
As I've been trying to get the whole RADIUS authentication process
to work, I keep rechecking configurations and I have found that
every day I have to reload the certificate on the DCs.
The certificate is valid and doesn't expire until August, 2009. It
displays on the CA as an Issued Certificate. I've already tried
revoking one and creating a second one and using that in the IAS
config, but the same thing is happening.
How do you get the cert installed without having to reload it every day?
TIA
Rick
Hi Rick --
I'm curious about what docs you used to create your certs and enroll
them to IAS servers/DCs -- can you provide links to the docs or, if
they're Help topics, topic titles?
I also don't think I understand the situation -- are you saying that
after you have issued server certificates to the IAS servers, the
certificates are then deleted the next day from the Personal
certificate store for both the Local Computer and the Current User on
the IAS servers? Or are you saying the certs are there but they won't
work?
You say that you requested a certificate for the IAS servers -- I am
assuming you did this using the certificates snap-in, is that
correct? If so, the certificate isn't going to work for IAS
authentication purposes -- you must configure a certificate template
and then enroll the cert to servers. Did you configure a certificate
template (in the Certificate Templates MMC on the CA) based on the
minimum server certificate requirements detailed in the IAS Help?
*******
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
Library Sysadmin
2008-08-31 15:29:00 UTC
Permalink
James,

I did some more work on this on Saturday.

I think the reason that the certifcate was not being retained is that the
Domain Controller certificate template is listed as Superceded in the Domain
Controller Authentication certificate in Certificate Templates MMC.

I'm guessing that the autorenrollment process, with the renewal and update
box checked is removing this superceded cert every time GP is refreshed.

I would note that the Domain Controller Authentication cert is not listed as
a choice in IAS, even after adding the RAS and IAS Servers global security
group to the template's security settings with appropriate permissons
configured.

The RAS and IAS cert is there and I'll continue working to get the wireless
clients authenticated from there.

Thanks for your help.

Rick
Post by James McIllece [MS]
Hi Rick --
The problem is that you need to configure the correct certificate template
(not the Domain Controller template) following the minimum server
certificate requirements.
All of the information you need to select the correct template and to
configure the template are found in the Help topic "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at http://technet.microsoft.com/en-us/library/cc759575.aspx.
Overview
Certificate requirements for EAP
Computer authentication by IPSec
Certificate-based authentication and wireless clients
Certificate enrollment methods and domain membership
Choosing a certificate enrollment method
CA Web enrollment services
A few sections below "Certificate-based authentication and wireless
clients," you'll find a table that allows you to select the correct
template.
In "Certificate requirements for EAP" you'll find the information to
configure the template.
*********************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
James McIllece [MS]
2008-09-02 19:29:46 UTC
Permalink
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
James,
I did some more work on this on Saturday.
I think the reason that the certifcate was not being retained is that
the Domain Controller certificate template is listed as Superceded in
the Domain Controller Authentication certificate in Certificate
Templates MMC.
I'm guessing that the autorenrollment process, with the renewal and
update box checked is removing this superceded cert every time GP is
refreshed.
I would note that the Domain Controller Authentication cert is not
listed as a choice in IAS, even after adding the RAS and IAS Servers
global security group to the template's security settings with
appropriate permissons configured.
The RAS and IAS cert is there and I'll continue working to get the
wireless clients authenticated from there.
Thanks for your help.
Rick
snip<<
You're welcome, Rick, and I'm glad you're making such good progress.


James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...