IAS fails with certs from Stand Alone CA

Hello:

I am deploying a secure wireless solution with a Stand Alone CA. When my
clients are trying to authenticate I am getting the following 2 error
messages in my event viewer. I have searched on these but can not seem to
find a resolution for them. Any help anyone could offer would be greatly
appreciated.

Harrison Midkiff

******* Error 1 *********
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 20190
Date: 7/20/2004
Time: 12:23:25 PM
User: N/A
Computer: MERCURY
Description:
Because no certificate has been configured for clients dialing in with
EAP-TLS, a default certificate is being sent to user aviinc\hmidkiff. Please
go to the user's Remote Access Policy and configure the Extensible
Authentication Protocol (EAP).

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


******* Error 2 *********
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 20168
Date: 7/20/2004
Time: 12:23:25 PM
User: N/A
Computer: MERCURY
Description:
Could not retrieve the Remote Access Server's certificate due to the
following error: Cannot find object or property.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 20 09 80 . .€

Harrison Midkiff

"Harrison Midkiff" <> wrote in message
news:...
> Hello:
>
> I am deploying a secure wireless solution with a Stand Alone CA. When my
> clients are trying to authenticate I am getting the following 2 error
> messages in my event viewer. I have searched on these but can not seem to
> find a resolution for them. Any help anyone could offer would be greatly
> appreciated.
>
> Harrison Midkiff
>
> ******* Error 1 *********
> Event Type: Information
> Event Source: IAS
> Event Category: None
> Event ID: 20190
> Date: 7/20/2004
> Time: 12:23:25 PM
> User: N/A
> Computer: MERCURY
> Description:
> Because no certificate has been configured for clients dialing in with
> EAP-TLS, a default certificate is being sent to user aviinc\hmidkiff.
Please
> go to the user's Remote Access Policy and configure the Extensible
> Authentication Protocol (EAP).
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> ******* Error 2 *********
> Event Type: Error
> Event Source: IAS
> Event Category: None
> Event ID: 20168
> Date: 7/20/2004
> Time: 12:23:25 PM
> User: N/A
> Computer: MERCURY
> Description:
> Could not retrieve the Remote Access Server's certificate due to the
> following error: Cannot find object or property.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 04 20 09 80 . .?>


The messages pretty much tell you what the problem is. You've set up an
authentication type which requres certificates. Either the certificates
have not been issued, or are stored in the wrong place, or do not refer back
to a valid root certificate. brush up on how to issue certificates, where
to store them, how to make sure there's a valid certificate path or chain,
and whether or not a stand alone CA is adequate for what you are doing.

MikeF

Here are some steps you can use to verify whether you have a valid
certificate installed on your RADIUS (IAS) server:

On your RADIUS (IAS) server, do the following:

1) Click on the Start button and choose "Run..."
2) Type in "mmc" and click OK
3) From the "File" pull-down menu, click on "Add/Remove Snap-in..."
4) Click "Add..."
5) Select "Certificates" and click "Add"
6) Select "Computer account" and click "Next >"
7) Click "Finish"
Click "Close"
9) Click "OK"
10) On the left side of the window, browse down to "Certificate (Local
Computer) \ Personal \ Certificates"
11) Look for the certificate, which you plan to use with EAP, on the right
side of the window and double click on it

If no certificates appear on the right side of the window, then you have not
installed your certificate into the correct location.

11) Switch to the "Details" tab
12) Make sure the value for the "Valid from" field is a date that is
earlier than today's date.
13) Make sure the value for the "Valid to" field is a date that is later
than today's date.
14) Make sure the field called "Subject" exists, that it has a value
assigned to it, and that the value includes a "CN = " which is followed by
some name.
15) Make sure that the "Enhanced Key Usage" field exists and that its value
mentions "Server Authentication".

If your certificate does not meet one of these checks, then it will not be
recognized by your RADIUS (IAS) server.

16) Lastly, with a certificate from a Stand-Alone CA server, you may need
to manually install a copy of the certificate for the Root CA into the
Enterprise "NTAuth" certificate store. The following KB article, will show
you how this is done:

http://support.microsoft.com/default...b;en-us;295663

If you meet all these requirements, then you should be able to select this
certificate when configuring EAP in your Remote Access policy.

--

Patrick Sears
Bluetooth PAN
Windows Networking

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

"MikeF" <> wrote in message
news:...
>
> "Harrison Midkiff" <> wrote in message
> news:...
> > Hello:
> >
> > I am deploying a secure wireless solution with a Stand Alone CA. When
my
> > clients are trying to authenticate I am getting the following 2 error
> > messages in my event viewer. I have searched on these but can not seem
to
> > find a resolution for them. Any help anyone could offer would be
greatly
> > appreciated.
> >
> > Harrison Midkiff
> >
> > ******* Error 1 *********
> > Event Type: Information
> > Event Source: IAS
> > Event Category: None
> > Event ID: 20190
> > Date: 7/20/2004
> > Time: 12:23:25 PM
> > User: N/A
> > Computer: MERCURY
> > Description:
> > Because no certificate has been configured for clients dialing in with
> > EAP-TLS, a default certificate is being sent to user aviinc\hmidkiff.
> Please
> > go to the user's Remote Access Policy and configure the Extensible
> > Authentication Protocol (EAP).
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> >
> > ******* Error 2 *********
> > Event Type: Error
> > Event Source: IAS
> > Event Category: None
> > Event ID: 20168
> > Date: 7/20/2004
> > Time: 12:23:25 PM
> > User: N/A
> > Computer: MERCURY
> > Description:
> > Could not retrieve the Remote Access Server's certificate due to the
> > following error: Cannot find object or property.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 04 20 09 80 . .?>
>
>
> The messages pretty much tell you what the problem is. You've set up an
> authentication type which requres certificates. Either the certificates
> have not been issued, or are stored in the wrong place, or do not refer
back
> to a valid root certificate. brush up on how to issue certificates, where
> to store them, how to make sure there's a valid certificate path or chain,
> and whether or not a stand alone CA is adequate for what you are doing.
>
>
>

Patrick Sears [MSFT]