Discussion:
Weird IAS error with EAP-TLS
(too old to reply)
Res
2008-01-10 23:17:38 UTC
Permalink
I had IAS on a Windows 2003 domain controller working with EAP-TLS and
computer certificates to authenticate Wireless clients a while back.
Since then many things have been messed with, so I'm open to any
suggestions on where to look. Upon trying to login wirelessly
recently, I get difficult to interpret errors:

Event Log:
-------------------------
Access request for user host/laptop.test.com was discarded.
Fully-Qualified-User-Name = test.com/Computers/LAPTOP
NAS-IP-Address = 192.168.1.100
NAS-Identifier = eap-ap
Called-Station-Identifier = 001c.0f83.09d0
Calling-Station-Identifier = 0040.96a3.b9ab
Client-Friendly-Name = AP1242AG
Client-IP-Address = 192.168.1.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 318
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 1
Reason = An internal error occurred. Check the system event log for
additional information.
-------------------------

RASTLS:
-------------------------
RasEapGetInfo

EapTlsBegin(SSCN\NETWORKS-LZ$)
SetupMachineChangeNotification
Verifying caller...
Unauthorized use of TLS attempted
-------------------------

IASSAM
-------------------------
Creating EAP session
NT-SAM Names handler received request with user identity host/
laptop.test.com.
Successfully cracked username.
SAM-Account-Name is "TEST\LAPTOP$".
NT-SAM Authentication handler received request for TEST\LAPTOP$.
Validating Windows account TEST\LAPTOP$.
Sending LDAP search to dc1.test.com.
Successfully validated windows account.
NT-SAM User Authorization handler received request for TEST\LAPTOP$.
Using downlevel dial-in parameters.
Sending LDAP search to dc1.test.com.
Inserting attribute msNPAllowDialin.
Successfully retrieved per-user attributes.
Allowed EAP type: 13
Setting max. packet length to 1396.
RasEapBegin failed: Access is denied.
Caught COM exception: Access is denied.
-------------------------

I have validated that the group policy trusts third party and
enterprise trusted certificate authorities on the domain controllers.
I've made sure that the certificates listed on http://support.microsoft.com/kb/293781/
were installed. I've tried uninstalling and reinstalling, and I've
tried installing fresh on a different domain controller and copying
over the configuration. (That sums up the advice I've found online
pertaining to this problem.)

Any ideas?

-- Res
S. Pidgorny <MVP>
2008-01-14 08:51:00 UTC
Permalink
Use Process Monitor to monitor denied access to files?
Post by Res
I had IAS on a Windows 2003 domain controller working with EAP-TLS and
computer certificates to authenticate Wireless clients a while back.
Since then many things have been messed with, so I'm open to any
suggestions on where to look. Upon trying to login wirelessly
-------------------------
Access request for user host/laptop.test.com was discarded.
Fully-Qualified-User-Name = test.com/Computers/LAPTOP
NAS-IP-Address = 192.168.1.100
NAS-Identifier = eap-ap
Called-Station-Identifier = 001c.0f83.09d0
Calling-Station-Identifier = 0040.96a3.b9ab
Client-Friendly-Name = AP1242AG
Client-IP-Address = 192.168.1.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 318
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 1
Reason = An internal error occurred. Check the system event log for
additional information.
-------------------------
-------------------------
RasEapGetInfo
EapTlsBegin(SSCN\NETWORKS-LZ$)
SetupMachineChangeNotification
Verifying caller...
Unauthorized use of TLS attempted
-------------------------
IASSAM
-------------------------
Creating EAP session
NT-SAM Names handler received request with user identity host/
laptop.test.com.
Successfully cracked username.
SAM-Account-Name is "TEST\LAPTOP$".
NT-SAM Authentication handler received request for TEST\LAPTOP$.
Validating Windows account TEST\LAPTOP$.
Sending LDAP search to dc1.test.com.
Successfully validated windows account.
NT-SAM User Authorization handler received request for TEST\LAPTOP$.
Using downlevel dial-in parameters.
Sending LDAP search to dc1.test.com.
Inserting attribute msNPAllowDialin.
Successfully retrieved per-user attributes.
Allowed EAP type: 13
Setting max. packet length to 1396.
RasEapBegin failed: Access is denied.
Caught COM exception: Access is denied.
-------------------------
I have validated that the group policy trusts third party and
enterprise trusted certificate authorities on the domain controllers.
I've made sure that the certificates listed on
http://support.microsoft.com/kb/293781/
were installed. I've tried uninstalling and reinstalling, and I've
tried installing fresh on a different domain controller and copying
over the configuration. (That sums up the advice I've found online
pertaining to this problem.)
Any ideas?
-- Res
James McIllece [MS]
2008-01-25 18:05:23 UTC
Permalink
Post by Res
I had IAS on a Windows 2003 domain controller working with EAP-TLS and
computer certificates to authenticate Wireless clients a while back.
Since then many things have been messed with, so I'm open to any
suggestions on where to look. Upon trying to login wirelessly
-------------------------
Access request for user host/laptop.test.com was discarded.
Fully-Qualified-User-Name = test.com/Computers/LAPTOP
NAS-IP-Address = 192.168.1.100
NAS-Identifier = eap-ap
Called-Station-Identifier = 001c.0f83.09d0
Calling-Station-Identifier = 0040.96a3.b9ab
Client-Friendly-Name = AP1242AG
Client-IP-Address = 192.168.1.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 318
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 1
Reason = An internal error occurred. Check the system event log for
additional information.
-------------------------
-------------------------
RasEapGetInfo
EapTlsBegin(SSCN\NETWORKS-LZ$)
SetupMachineChangeNotification
Verifying caller...
Unauthorized use of TLS attempted
-------------------------
IASSAM
-------------------------
Creating EAP session
NT-SAM Names handler received request with user identity host/
laptop.test.com.
Successfully cracked username.
SAM-Account-Name is "TEST\LAPTOP$".
NT-SAM Authentication handler received request for TEST\LAPTOP$.
Validating Windows account TEST\LAPTOP$.
Sending LDAP search to dc1.test.com.
Successfully validated windows account.
NT-SAM User Authorization handler received request for TEST\LAPTOP$.
Using downlevel dial-in parameters.
Sending LDAP search to dc1.test.com.
Inserting attribute msNPAllowDialin.
Successfully retrieved per-user attributes.
Allowed EAP type: 13
Setting max. packet length to 1396.
RasEapBegin failed: Access is denied.
Caught COM exception: Access is denied.
-------------------------
I have validated that the group policy trusts third party and
enterprise trusted certificate authorities on the domain controllers.
I've made sure that the certificates listed on
http://support.microsoft.com/kb/293781/ were installed. I've tried
uninstalling and reinstalling, and I've tried installing fresh on a
different domain controller and copying over the configuration. (That
sums up the advice I've found online pertaining to this problem.)
Any ideas?
-- Res
Hi Res --

I pinged the product team with your question and received the following
response:

"The only time I have seen this is when an unsigned DLL is being used. In
this case, its RASTLS.dll, which should be fine, unless it was replaced by
a third party application (not unheard of).

"The easiest way to fix this is to reapply the latest service pack."
--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...