Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IAS VPN EAP-TLS problem

614 views
Skip to first unread message

Mark Ciccarello

unread,
Dec 19, 2003, 1:02:14 PM12/19/03
to
I'm trying to get L2TP/IPSEC VPN to work with EAP-TLS
client authentication. The VPN works fine with CHAP2
authentication.

Setup:

Client - XP
VPN - RAS on W2K3
Authentication - IAS on W2K3

[all patched and up to date; but these are NOT domain machines]

I have valid X.509 certificate on server. It is 3rd party;
the key was made with SChannel CSP and the server
certificate has the Server Auth EKU.

When I construct a remote access policy on IAS, the only
two authentication methods that appear are MD5 and PEAP.
There is no indication regarding EAP-TLS.

If I try to make an EAP-TLS based connection from the
client; then RAS tracing on the IAS indicates that no
server name could be found on the certificate during EAP
setup.

Any ideas ?
Thanks,
Mark Ciccarello

Ashwin Palekar(MS)

unread,
Dec 20, 2003, 6:47:42 PM12/20/03
to
Is the IAS server a member of a domain? EAP-TLS option is available only if
IAS is member of domain.

--
--
===========================================================
This posting is provided "AS IS" with no warranties and confers no rights
===========================================================

"Mark Ciccarello" <anon...@discussions.microsoft.com> wrote in message
news:0b6b01c3c65a$3bce7bd0$a601...@phx.gbl...

Mark Ciccarello

unread,
Dec 21, 2003, 10:28:46 AM12/21/03
to
The IAS server was not a domain member at first.

I put it into a domain and the EAP-TLS option showed
up in the Remote Access Policy. So far so good.

But certificate/smart card client still cannot connect.
The client side error is 0x8009030C.

The IAS error in the RASTLS tracing file is:
------------------------------------------
[2108] 10:16:23:086: AuthenticateUser
[2108] 10:16:23:086: FGetEKUUsage
[2108] 10:16:23:086: FCheckPolicy
[2108] 10:16:23:096: CertVerifyCertificateChainPolicy
succeeded but policy check failed 0x800b0112.
[2108] 10:16:23:096: FCheckPolicy done.
[2108] 10:16:23:096: The user's cert does not have
correct usage.
[2108] 10:16:23:096: MakeAlert(49, Manual)
[2108] 10:16:23:096: State change to SentFinished. Error:
0x800b0112
[2108] 10:16:23:096: BuildPacket
[2108] 10:16:23:096: << Sending Request (Code: 1) packet:
Id: 6, Length: 17, Type: 13, TLS blob length: 7. Flags: L
[1960] 10:16:23:096:
[1960] 10:16:23:106: EapTlsMakeMessage(labnet\mark)
[1960] 10:16:23:106: >> Received Response (Code: 2)
packet: Id: 6, Length: 6, Type: 13, TLS blob length: 0.
Flags:
[1960] 10:16:23:106: EapTlsSMakeMessage
[1960] 10:16:23:106: Negotiation unsuccessful
[1960] 10:16:23:106: BuildPacket
[1960] 10:16:23:106: << Sending Failure (Code: 4) packet:
Id: 6, Length: 4, Type: 0, TLS blob length: 0. Flags:
[1960] 10:16:23:106: AuthResultCode = (-2146762478),
bCode = (4)

-----------------------------------

The error in the IASSAM tracing is:

[2108] 12-21 10:16:23:096: Issuing Access-Challenge.
[1960] 12-21 10:16:23:096: NT-SAM EAP handler received
request.
[1960] 12-21 10:16:23:096: Successfully retrieved session
state for user LABNET\mark.
[1960] 12-21 10:16:23:106: Processing output from EAP DLL.
[1960] 12-21 10:16:23:106: Inserting outbound EAP-Message
of length 4.
[1960] 12-21 10:16:23:106: EAP authentication failed: A
certification chain processed correctly, but one of the
CA certificates is not trusted by the policy provider.

-----------------------------------------------------

Is this an error in the client side certs or a problem
on the server side?

This is a 3rd party CA; it is only one deep; the CA
signs the client and server certs directly.

I suspect it may not be registered correctly in the
domain.

The CA cert is correctly installed in the trusted
root certification authorities.

However, certutil -dcInfo indicates that there are
no CA certs in the Ent Root Store.

What is meant by the "policy provider". How do I get
it to trust the CA cert ?

>.
>

Ashwin Palekar(MS)

unread,
Dec 21, 2003, 12:25:49 PM12/21/03
to
To verify if the cert is trusted --> Using MMC certificate snap-in, view the
client cert on the RADIUS server; and the RADIUS server cert on the client.
MMC will show if the cert is trusted on the machine.

The policy may occur due to the following --> In addition to verifying
trust in certificate, IAS verifies that the account in AD refers to the
corresponding certificate. In other words, the cert must be mapped to a
account in AD. You can map all certificates issued by 3rd party CA to 1
account or individual accounts in AD. The later method is preferred. Refer
to Windows 2003 IAS online help for details on how to configure IAS to use
account mapping.


--
--
===========================================================


This posting is provided "AS IS" with no warranties and confers no rights
===========================================================

"Mark Ciccarello" <anon...@discussions.microsoft.com> wrote in message

news:001601c3c7d7$1faf8b00$a101...@phx.gbl...

Mark Ciccarello

unread,
Dec 21, 2003, 2:14:55 PM12/21/03
to

Regarding Point A)

Certs are trusted - verified.

Regarding Point B)

User cert was not previously mapped. I successfully
did a one-to-one mapping in AD.

No change in result. Fails with the same errors.

I also tried a many to one mapping.

No change in result. Fails with the same errors.

Any further suggestions would be much appreciated.

To summarize.
The client cert was made with Microsoft SChannel CSP.
Has EKU client auth.

Is there an issue regarding registration of the CA
certificate with AD ?

Thanks,
Mark C.


>-----Original Message-----
>To verify if the cert is trusted --> Using MMC
certificate snap-in, view the
>client cert on the RADIUS server; and the RADIUS server
cert on the client.
>MMC will show if the cert is trusted on the machine.
>
>The policy may occur due to the following --> In
addition to verifying
>trust in certificate, IAS verifies that the account in
AD refers to the
>corresponding certificate. In other words, the cert must
be mapped to a
>account in AD. You can map all certificates issued by
3rd party CA to 1
>account or individual accounts in AD. The later method
is preferred. Refer
>to Windows 2003 IAS online help for details on how to
configure IAS to use
>account mapping.
>
>
>--
>--

>=========================================================
==
>This posting is provided "AS IS" with no warranties and
confers no rights
>=========================================================
==
>
>"Mark Ciccarello" <anon...@discussions.microsoft.com>
wrote in message

>.
>

Ashwin Palekar(MS)

unread,
Dec 21, 2003, 2:39:24 PM12/21/03
to
Mark,

The error message says "The user's cert does not have correct usage." which
could mean the right contents (Client authentication EKU et al).

Does the client cert meet ALL the requirements of mentioned in W2k3 IAS
online help for certificate requirements? Does it have any extra EKUs like
Smartcard Logon EKUs?


Regards,

Ashwin


--
--
===========================================================


This posting is provided "AS IS" with no warranties and confers no rights
===========================================================


"Mark Ciccarello" <anon...@discussions.microsoft.com> wrote in message

news:011b01c3c7f6$b7b01b80$a101...@phx.gbl...

Mark Ciccarello

unread,
Dec 21, 2003, 4:27:34 PM12/21/03
to
Ashwin -

Attached are the results of running certutil -verify
against the user cert in question. The lack of
revocation capability may be the issue here.

[the names have been changed in the output]

Mark
--------------------------------------------------------
Issuer:
CN=Our CA
OU=Our OU
O=Our O
C=US
Subject:
CN=mark
OU=Our OU
O=Our O
C=US
Cert Serial Number: 15cdae52bf2b8c3c

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags =
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus =
CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus =
CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus =
CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus =
CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40
Issuer: CN=Our CA, OU=Our OU, O=Our O, C=US
Subject: CN=mark, OU=Our OU, O=Our O, C=US
Serial: 15cdae52bf2b8c3c
8b de 96 88 c8 b0 8f ee 6d 8b 74 ab 55 d8 a5 62 03 5d
38 ee
Element.dwInfoStatus =
CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
(0x100)
Element.dwErrorStatus =
CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Our CA, OU=Our OU, O=Our O, C=US
Subject: CN=Our CA, OU=Our OU, O=Our O, C=US
Serial: 373cee6665cb0827
b0 74 51 dd 26 ef a7 f9 b9 38 56 90 a2 61 e9 61 9f 3e
83 8e
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER
(0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
(0x100)

Exclude leaf cert:
8b de 96 88 c8 b0 8f ee 6d 8b 74 ab 55 d8 a5 62 03 5d
38 ee
Full chain:
70 47 e3 43 80 8e 5e fc 53 aa b0 e4 49 9a db 3e 53 ad
42 f4
Issuer: CN=Our CA, OU=Our OU, O=Our O, C=US
Subject: CN=mark, OU=Our OU, O=Our O, C=US
Serial: 15cdae52bf2b8c3c
8b de 96 88 c8 b0 8f ee 6d 8b 74 ab 55 d8 a5 62 03 5d
38 ee
The revocation function was unable to check revocation
for the certificate. 0x80
092012 (-2146885614)
------------------------------------
Revocation check skipped -- no revocation information
available
Cert is an End Entity certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

-----------------------------------------

>-----Original Message-----
>Mark,
>
>The error message says "The user's cert does not have
correct usage." which
>could mean the right contents (Client authentication EKU
et al).
>
>Does the client cert meet ALL the requirements of
mentioned in W2k3 IAS
>online help for certificate requirements? Does it have
any extra EKUs like
>Smartcard Logon EKUs?
>
>
>Regards,
>
>Ashwin
>
>
>
>
>--
>--

>.
>

Thomas Kuborn

unread,
Dec 22, 2003, 3:13:06 AM12/22/03
to
Hey Ashwin

Are you sure about the part that says that IAS verifies if the client
certificate is published in AD ? I thought IAS verified if the user account
existed in AD
Seems weird to me because :
- only some certificate templates are published in AD (user template)
automatically, the authenticated session user template does publish certs in
AD
- this would hinder scalability if you use a certificate template that does
not publish certs in AD

- Thomas -

"Ashwin Palekar(MS)" <ash...@online.microsoft.com> wrote in message
news:eQVx$d%23xDH...@TK2MSFTNGP12.phx.gbl...

Mark Ciccarello

unread,
Dec 22, 2003, 8:28:59 AM12/22/03
to
Thomas -

I think the statement was that the certificate needs to
be mapped to an account. Whether the certificate is
published in AD is another matter, no ?

Mark

==========================================================
=


>> This posting is provided "AS IS" with no warranties
and confers no rights
>>

==========================================================
=
>>
>> "Mark Ciccarello"

>.
>

Thomas Kuborn

unread,
Dec 22, 2003, 9:12:48 AM12/22/03
to
Hi Mark,

Well, I would have thought the 2 would have come together no ?
I mean, if a user account is mapped to a certificate that must mean the
certificate has been published in AD under that user's account right ?
I don't see any other place than AD where the mapping could be done ... or
am I wrong ? Please explain !

- Thomas -

"Mark Ciccarello" <anon...@discussions.microsoft.com> wrote in message

news:039301c3c88f$8edd4450$a001...@phx.gbl...

Mark Ciccarello

unread,
Dec 22, 2003, 10:15:30 AM12/22/03
to
Thomas -

The issue here was that I have in the lab a third party
CA that was not connected to AD. I am having a problem
getting an EAP-TLS based VPN to work. The problem
revolves around policy checking of the client cert by IAS.

Ashwin suggested I make sure that the client cert was
mapped to an account in the domain. It was not; I did the
mapping by means of the Name Mapping action on the user
account in question.

But publishing a cert for the same user account involved
another different action. In other words, even after I
had mapped the cert, the user account did not reflect any
published certs.

Mark

>.
>

Thomas Kuborn

unread,
Dec 22, 2003, 6:50:06 PM12/22/03
to
I should have read the post more carefully

sorry !!


"Mark Ciccarello" <anon...@discussions.microsoft.com> wrote in message

news:07dc01c3c89e$6fb1ff30$a401...@phx.gbl...

Mark Ciccarello

unread,
Dec 28, 2003, 1:11:26 PM12/28/03
to
Ashwin -

I finally discovered that the problem did not center on
CRL's. IAS CRL checking can be turned off by means of
registry settings.

Instead, the problem was that the certificate of the
3rd party root was not in the Enterprise certificate
store NTAuth. This is a requirement for smart card login.
[It can be conveniently addess with certutil -addstore -
enterprise NTauth <cert>

I can't find a proper reference in IAS documentation;
but, it is clearly a requirement.

Mark C.


>-----Original Message-----
>Mark,
>
>The error message says "The user's cert does not have
correct usage." which
>could mean the right contents (Client authentication EKU
et al).
>
>Does the client cert meet ALL the requirements of
mentioned in W2k3 IAS
>online help for certificate requirements? Does it have
any extra EKUs like
>Smartcard Logon EKUs?
>
>
>Regards,
>
>Ashwin
>
>
>
>
>--
>--

>.
>

0 new messages