> Here is the scenario. 2003 AD environment, IAS and CA are setup on the
> same 2000 SP4 member server. I generated the Certificate and Installed
> it on the server. I see the Certificate in the Issued Certificates
> folder. When I create a policy in IAS I get the following error
> message when I try to configure PEAP under the Authentication tab and
> click on the configure button i get the following error message: a
> certificate could not be found that can be used with extensible
> authentication protocol. Any help would be appreciatted. I have gone
> through the posts and I see the error message but no resolution other
> than have you followed the steps. Thanks.
>
> James
>
>
>
Hi James --
There is a problem with the way the certificate was configured in
Certificate Templates so that it does not meet the minimum certificate
requirements for a Server Authentication cert.
If IAS cannot find a certificate that meets the minimum certificate
requirements, it does not allow you to select a misconfigured cert. If
there is one properly configured cert on the computer that IAS can use for
server authentication, IAS selects that cert automatically. If there is
more than one properly configured cert, IAS allows you to choose between
the properly configured certs.
Please reconfigure your certificate by following the minimum certificate
requirements described in the IAS Help topic "Network access authentication
and certificates." This topic is also on the Web at:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
proddocs/en-
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
ocs/en-us/sag_VPN_und15.asp
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks.
James Barry
>> prodd ocs/en-us/sag_VPN_und15.asp
>>
>>
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> account name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>
Hi James --
Yes, when you have a compatible cert installed you should be able to click
the configure button and access additional UI.
I had the same problem. I kept sending cert requests through my local
CA server here, and kept getting "a certificate could not be found
that can be used with extensible authentication protocol" under PEAP
in IAS.
The request that did the trick was to have the web server (IIS) that
was running on the IAS machine request a certificate for use for SSL.
When I brought the key into IIS from the CertServer, it recognized it
as an SSL server authorization certificate, and placed it in the same
store that IAS could use. (don't know if this matters: the requesting
name was the FQDN for the server.)
My env:
IAS on W2k Svr
no 2003 anywhere
MS Cert Server as enterprise CA
Now if I can just figure out why it won't authenticate the client.
(WPA with RADIUS)
Hope this helps.
-John
"YonThaYuggler"
"James McIllece [MS]" <jame...@online.microsoft.com> wrote in message news:<Xns95408C3EFCD9Fja...@207.46.248.16>...
>> >> rd/ prodd ocs/en-us/sag_VPN_und15.asp
>> >>
>> >>
>> >>
>> >> --
>> >> James McIllece, Microsoft
>> >>
>> >> Please do not send email directly to this alias. This is my
>> >> online account name for newsgroup participation only.
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers
>> >> no rights.
>> >>
>> >
>>
>> Hi James --
>>
>> Yes, when you have a compatible cert installed you should be able to
>> click the configure button and access additional UI.
Hi John --
Is your IAS server registered in AD? If not, see the Help topic "To enable
the IAS server to read user accounts in Active Directory"
Regarding:
> Is your IAS server registered in AD? If not, see the Help topic "To enable
> the IAS server to read user accounts in Active Directory"
I beleive that it is registered. In the IAS MMC, I have right clicked
and chose "Register service in Active Directory", and It appears that
IAS can read AD OK, as it correctly resolves the
Fully-Qualified-User-Name from my login ID.
The error I am getting (IAS_AUTH_FAILURE) in the System Event log is
indicated here:
<event log snippet begin>
NAS-Port-Type = 19
NAS-Port = 54
Policy-Name = 802.11 wireless
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown
user name or a bad password.
<event log snippet end>
Not using any realm replacements, and I do have reversible encryption
enabled for passwords in GP, and have changed my password to update
the store with the reversible version.
> James (McIllece),
Another IAS team member read through your posts and says that your cert is
in the wrong location -- so you need to open the certificates MMC, export
the cert, then import the cert into the Local Computer cert store. (It is
probably in the Current User cert store.)
That should solve the problem. If not, let me know.
Thanks in advance for your assistance, as well as that which you have
already provided.
The certificate appears to be in the Local Computer store for the RADIUS
server.
Of the 10 stores in each of Local Computer and Current User in the
Certificates MMC:
+ Personal
+ Trusted Root Certification Authorities
+ Enterprise Trust
+ Intermediate Certification Authorities
+ Trusted Publishers
+ Untrusted Certificates
+ Third-party Root Certification Authorities
+ Trusted People
+ Certificate Enrollment Requests
+ SPC
The only location of the certificate that will allow me to configure PEAP
under IAS is Personal under local computer. (I have moved the certificate
into every store via drag/drop in the Certificates MMC, experimenting with
this.)
I have placed the certificate, as well as my own root CA cert, both in
base64 form on my FTP server: "www dot gswc dot us" if you would like to
take a look at them. GSW-CA is a trusted root authority.
It appears that the client accepts the certificate OK. I just get a
IAS_AUTH_FAILED when the users tries to authenticate.
Is this IAS_AUTH_FAILED a red herring?
Molto obbligato!
--John
praetori...@yahoo.com
"James McIllece [MS]" <jame...@online.microsoft.com> wrote in message
news:Xns95439BE321DD2ja...@207.46.248.16...
Dragging and dropping a cert using the Certificates MMC won't do the trick
-- if you move the cert you must export it and then import it into the
store.
"Yon Tha Yuggler" <praetori...@yahoo.com> wrote in
news:VJudnTL68I1...@giganews.com:
I'll try exporting the cert now....
Bst Rgds,
Peter.
>.
>
--
=============================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=============================================
"Peter K" <peter.klo...@unisa.edu.au> wrote in message
news:014301c48be6$6105de50$7d02...@phx.gbl...