IAS fails with certs from Stand Alone CA

Discussion in 'Wireless Networking' started by Harrison Midkiff, Jul 20, 2004.

  1. Hello:

    I am deploying a secure wireless solution with a Stand Alone CA. When my
    clients are trying to authenticate I am getting the following 2 error
    messages in my event viewer. I have searched on these but can not seem to
    find a resolution for them. Any help anyone could offer would be greatly
    appreciated.

    Harrison Midkiff

    ******* Error 1 *********
    Event Type: Information
    Event Source: IAS
    Event Category: None
    Event ID: 20190
    Date: 7/20/2004
    Time: 12:23:25 PM
    User: N/A
    Computer: MERCURY
    Description:
    Because no certificate has been configured for clients dialing in with
    EAP-TLS, a default certificate is being sent to user aviinc\hmidkiff. Please
    go to the user's Remote Access Policy and configure the Extensible
    Authentication Protocol (EAP).

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    ******* Error 2 *********
    Event Type: Error
    Event Source: IAS
    Event Category: None
    Event ID: 20168
    Date: 7/20/2004
    Time: 12:23:25 PM
    User: N/A
    Computer: MERCURY
    Description:
    Could not retrieve the Remote Access Server's certificate due to the
    following error: Cannot find object or property.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 04 20 09 80 . .€
    Harrison Midkiff, Jul 20, 2004
    #1
    1. Advertising

  2. Harrison Midkiff

    MikeF Guest

    "Harrison Midkiff" <> wrote in message
    news:...
    > Hello:
    >
    > I am deploying a secure wireless solution with a Stand Alone CA. When my
    > clients are trying to authenticate I am getting the following 2 error
    > messages in my event viewer. I have searched on these but can not seem to
    > find a resolution for them. Any help anyone could offer would be greatly
    > appreciated.
    >
    > Harrison Midkiff
    >
    > ******* Error 1 *********
    > Event Type: Information
    > Event Source: IAS
    > Event Category: None
    > Event ID: 20190
    > Date: 7/20/2004
    > Time: 12:23:25 PM
    > User: N/A
    > Computer: MERCURY
    > Description:
    > Because no certificate has been configured for clients dialing in with
    > EAP-TLS, a default certificate is being sent to user aviinc\hmidkiff.

    Please
    > go to the user's Remote Access Policy and configure the Extensible
    > Authentication Protocol (EAP).
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    >
    > ******* Error 2 *********
    > Event Type: Error
    > Event Source: IAS
    > Event Category: None
    > Event ID: 20168
    > Date: 7/20/2004
    > Time: 12:23:25 PM
    > User: N/A
    > Computer: MERCURY
    > Description:
    > Could not retrieve the Remote Access Server's certificate due to the
    > following error: Cannot find object or property.
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    > Data:
    > 0000: 04 20 09 80 . .?>



    The messages pretty much tell you what the problem is. You've set up an
    authentication type which requres certificates. Either the certificates
    have not been issued, or are stored in the wrong place, or do not refer back
    to a valid root certificate. brush up on how to issue certificates, where
    to store them, how to make sure there's a valid certificate path or chain,
    and whether or not a stand alone CA is adequate for what you are doing.
    MikeF, Jul 20, 2004
    #2
    1. Advertising

  3. Here are some steps you can use to verify whether you have a valid
    certificate installed on your RADIUS (IAS) server:

    On your RADIUS (IAS) server, do the following:

    1) Click on the Start button and choose "Run..."
    2) Type in "mmc" and click OK
    3) From the "File" pull-down menu, click on "Add/Remove Snap-in..."
    4) Click "Add..."
    5) Select "Certificates" and click "Add"
    6) Select "Computer account" and click "Next >"
    7) Click "Finish"
    8) Click "Close"
    9) Click "OK"
    10) On the left side of the window, browse down to "Certificate (Local
    Computer) \ Personal \ Certificates"
    11) Look for the certificate, which you plan to use with EAP, on the right
    side of the window and double click on it

    If no certificates appear on the right side of the window, then you have not
    installed your certificate into the correct location.

    11) Switch to the "Details" tab
    12) Make sure the value for the "Valid from" field is a date that is
    earlier than today's date.
    13) Make sure the value for the "Valid to" field is a date that is later
    than today's date.
    14) Make sure the field called "Subject" exists, that it has a value
    assigned to it, and that the value includes a "CN = " which is followed by
    some name.
    15) Make sure that the "Enhanced Key Usage" field exists and that its value
    mentions "Server Authentication".

    If your certificate does not meet one of these checks, then it will not be
    recognized by your RADIUS (IAS) server.

    16) Lastly, with a certificate from a Stand-Alone CA server, you may need
    to manually install a copy of the certificate for the Root CA into the
    Enterprise "NTAuth" certificate store. The following KB article, will show
    you how this is done:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;295663

    If you meet all these requirements, then you should be able to select this
    certificate when configuring EAP in your Remote Access policy.

    --

    Patrick Sears
    Bluetooth PAN
    Windows Networking

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Please do not send email directly to this alias. This alias is for newsgroup
    purposes only.

    "MikeF" <> wrote in message
    news:...
    >
    > "Harrison Midkiff" <> wrote in message
    > news:...
    > > Hello:
    > >
    > > I am deploying a secure wireless solution with a Stand Alone CA. When

    my
    > > clients are trying to authenticate I am getting the following 2 error
    > > messages in my event viewer. I have searched on these but can not seem

    to
    > > find a resolution for them. Any help anyone could offer would be

    greatly
    > > appreciated.
    > >
    > > Harrison Midkiff
    > >
    > > ******* Error 1 *********
    > > Event Type: Information
    > > Event Source: IAS
    > > Event Category: None
    > > Event ID: 20190
    > > Date: 7/20/2004
    > > Time: 12:23:25 PM
    > > User: N/A
    > > Computer: MERCURY
    > > Description:
    > > Because no certificate has been configured for clients dialing in with
    > > EAP-TLS, a default certificate is being sent to user aviinc\hmidkiff.

    > Please
    > > go to the user's Remote Access Policy and configure the Extensible
    > > Authentication Protocol (EAP).
    > >
    > > For more information, see Help and Support Center at
    > > http://go.microsoft.com/fwlink/events.asp.
    > >
    > >
    > > ******* Error 2 *********
    > > Event Type: Error
    > > Event Source: IAS
    > > Event Category: None
    > > Event ID: 20168
    > > Date: 7/20/2004
    > > Time: 12:23:25 PM
    > > User: N/A
    > > Computer: MERCURY
    > > Description:
    > > Could not retrieve the Remote Access Server's certificate due to the
    > > following error: Cannot find object or property.
    > >
    > > For more information, see Help and Support Center at
    > > http://go.microsoft.com/fwlink/events.asp.
    > > Data:
    > > 0000: 04 20 09 80 . .?>

    >
    >
    > The messages pretty much tell you what the problem is. You've set up an
    > authentication type which requres certificates. Either the certificates
    > have not been issued, or are stored in the wrong place, or do not refer

    back
    > to a valid root certificate. brush up on how to issue certificates, where
    > to store them, how to make sure there's a valid certificate path or chain,
    > and whether or not a stand alone CA is adequate for what you are doing.
    >
    >
    >
    Patrick Sears [MSFT], Jul 22, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Caploc

    Suite or stand alone?

    Caploc, Nov 10, 2004, in forum: Firefox
    Replies:
    2
    Views:
    495
    Caploc
    Nov 10, 2004
  2. Javier GP
    Replies:
    5
    Views:
    973
    Herb Martin
    Sep 30, 2003
  3. =?Utf-8?B?cm9jazk4MTk=?=

    Stand Alone Server 2003

    =?Utf-8?B?cm9jazk4MTk=?=, Nov 12, 2005, in forum: MCSE
    Replies:
    1
    Views:
    1,352
  4. Pedro Simoes

    Re: Stand Alone Server 2003

    Pedro Simoes, Nov 24, 2005, in forum: MCSE
    Replies:
    0
    Views:
    400
    Pedro Simoes
    Nov 24, 2005
  5. IAS PEAP Wireless - Stand Alone CA

    , Feb 16, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    9,678
    Greg Lindsay [MSFT]
    Feb 16, 2007
Loading...

Share This Page