Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

VPN using certificates - PLEASE HELP!

27 views
Skip to first unread message

Ghenov Sergiu

unread,
Feb 5, 2003, 6:08:37 AM2/5/03
to
Hello there!
I'm trying to make a VPN connection using L2TP.
Here's what I did: I installed in my domain a non AD Certification Authority
(Stand Alone Root CA), published on my domain the Certification Authority
certificate on the Trusted Root Certificates Store, thus enableing the trust
with this CA.
Then I requested a Server Certificate, which I installed on my ISA Server
machine for authentication. After that, I exported the CA certificate and
copy it on a floppy disk. I installed that certificate on the Trusted Root
Certificates Store on my client machine (that is outside my organization),
enableing trust with my domain. Then I issued a client certificate, from the
same CA, made that key exportable and specifying to use the local machine
store, I exported on a fdd and installed on my client machine. The
certificate appears valid and I can view it form local machine, in the
Personal -> Certificates.
Everything was OK, but when I try to establish a VPN connection, in the
Security Tab for that VPN Connection, at Data Encryption, if I select to use
EAP and to use a computer certificate that exists on the local machine, I
receive the following error: "Cannot load dialog. Error 798: A certificate
cannot be found that can be use with this Extensible Authentication
Protocol"

Can anyone give me a hint?

HELP ME PLEASE, I CAN'T FIND ANY INFORMATION ABOUT THIS MATTER!


Carl DaVault [MS]

unread,
Feb 6, 2003, 7:11:31 PM2/6/03
to
EAP requires a certificate in the USER's personal store. L2TP requires a
certificate in the MACHINE's personal store.

Sounds like you're headed in the right direction, but the 798 is a sure
giveaway that the cert is not there or it's the wrong kind. EAP certs need a
"Client Authentication" usage on the client and a "Server Authentication"
usage on the IAS server. Oh, and since IAS is a service, it gets the
certificate from the MACHINE store, too.

RemoteAccess must be restarted on the server after adding certificates for
L2TP because it sets the IPSec policies at startup.

--
Carl DaVault (MS)
This posting is provided "AS IS" with no warranties, and confers no rights.


"Ghenov Sergiu" <Serg...@xnet.ro> wrote in message
news:#ReXibQzCHA.1876@TK2MSFTNGP11...

Ghenov Sergiu

unread,
Feb 7, 2003, 2:59:01 AM2/7/03
to
Thank you for writing me back.
I read what you wrote to me, but my major problem is that I did exactly what
you said: my certiifcates are COMPUTER certificates, for CLIENT and SERVER
authentication (each one is in the needed place: CLIENT certificate on the
client machine and SERVER certificate on the ISA Server machine).
That's why I'm so troubled, because I did exactly like I read on forums, on
my MOC course (2153) and still does not work.
Then I searched on the net for that 798 error and, surprise: NOTHING ABOUT
IT!
That error appears to me next to configuring my client to use EAP with a
computer certificate. Then if I double click my connection, that message
appears and then nothing happens more.

But, still, the certificate is a computer one, because if I configure a MMC
with certificates selected -> computer certificates -> local machine, I cand
view that certificate there.
Do you have another hint?
Help is really needed and appreciated!

Sergiu.
MCP, MCSA.

"Carl DaVault [MS]" <car...@spambegone.microsoft.com> wrote in message
news:eV$9q1jzCHA.1736@TK2MSFTNGP10...

Carl DaVault [MS]

unread,
Feb 7, 2003, 4:50:01 AM2/7/03
to

Hmmm... I think you need an Enterprise Root CA for EAP-TLS. Standalone
should work for L2TP/IPSec. There is no connection or dependency between
EAP-TLS and L2TP/IPSec. An enterprise root CA should be integrated into the
AD automatically - it's really quite handy and easy to use then. When you
get your new CA set up:

On the VPN client:

You need a USER cert in the USER's personal store for EAP.
You need a USER cert in the MACHINE's personal store for L2TP/IPSec. Other
kinds of certificates work well, too.

So, the fundamental confusion usually arises here between TYPES of
certificates and WHERE you store them. You can put any kind of certificate
in any kind of store. You seem to have no usable certificates in the
Personal store of the currently logged on user. This is just like the
difference between HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE.

There are lots of ways to import the cert into the user's store - one way is
to open MMC, add certificates snapin, choose to connect to the current
user's store (NOT the local machine store). Choose to import a certificate
and browse to the certificate. If you import a machine's certificate into
the user store, you will not get your desired results because the fields in
the certificate do not represent a user. Check the alt subject name on the
certificate - it should be something like myuser@mydomain and it should
match a user account.

Personally, I use either automatic certificate distribution through group
policy or web-based certificate enrollment. If you are a domain member, you
can request a certificate thru the certificate's MMC. EAP-TLS is designed to
work in a domain context, using the User Principal Name (UPN) form of the
username, so requesting a certificate through the snapin is conceivably
something that users would be allowed to do from their domain-joined
machines.

The certificate will not be found under the following additional conditions:

Certificate is invalid due to time restrictions (expired, not yet valid).
Certificate fails to have a trusted root (cert is untrusted - you need the
root certificates to validate the cert chain).

--
Carl DaVault (MS)
This posting is provided "AS IS" with no warranties, and confers no rights.


"Ghenov Sergiu" <Serg...@xnet.ro> wrote in message

news:O3Ht66nzCHA.2288@TK2MSFTNGP09...

Ghenov Sergiu

unread,
Feb 7, 2003, 7:48:39 AM2/7/03
to
Thank you again for your imediate asnwer.
This was a great answer and partially solved my problem.
The situation was generated because I didn't have a user certificate in my
personal store.
But before unistalling my Stand Alone Root CA, I tried it first and it did
work just great, not having to install an AD Certification Authority!
Now, when I select to use EAP, it works excelent, but unfortunatly I can't
authenticate on the remote server.

Here's the error, and again, I ask for your kindness and your help. This
error us generated on the Remote Server, which is an ISA Server:

"The user myu...@mydomain.com connected from {IP Address} but failed an
authentication attempt due to the following reason: The user attempted to
use an unauthorized authentication method."

I can mention that in the security tab, at Routing and Remote Access
service, I enabled EAP authentication protocol, and my dial in permissions
are OK.
Could you help me once again? Thanks a lot!!!


"Carl DaVault [MS]" <car...@spambegone.microsoft.com> wrote in message

news:OnxT94ozCHA.2600@TK2MSFTNGP11...

Carl DaVault [MS]

unread,
Feb 7, 2003, 2:11:00 PM2/7/03
to
In the remote access policies, you must add EAP-TLS as an acceptable EAP
type and make sure it is configured with a valid certificate.

The RAS service negotiates the PPP settings.
The IAS service verivies the PPP settings and continues along with the
authentication process.

Even if you are using Windows Authentication, IAS is still there doing the
authentication work - it just communicates directly with RRAS instead of
using the RADIUS protocol.

--
Carl DaVault (MS)
This posting is provided "AS IS" with no warranties, and confers no rights.


"Ghenov Sergiu" <Serg...@xnet.ro> wrote in message

news:#JV0xcqzCHA.1576@TK2MSFTNGP12...

Ghenov Sergiu

unread,
Feb 11, 2003, 3:29:20 AM2/11/03
to
Thank you again, like always.
One last question :)
What kind of certificates do I have to use on the RAS Server, because I
installed a computer certificate and a user certificate, and when I try to
select EAP as an authentication protocol on the RAS machine, I get the "A

certificate cannot be found that can be use with this Extensible
Authentication Protocol", just like the first situation, only now I am on
the RAS Server and not on the client.

Thank you again for your kindness.
PS: I read that VPN's made of L2TP cannot be used with the option "Log in
using dial up connection".
Is it true?

"Carl DaVault [MS]" <car...@spambegone.microsoft.com> wrote in message

news:uhxtcytzCHA.2648@TK2MSFTNGP11...

Carl DaVault [MS]

unread,
Feb 12, 2003, 1:56:03 PM2/12/03
to
On the RAS server, you need a certificate in the machine store with "Server
Authentication" usage. Check your available templates for certificate with
this usage. I forget what was available by default - perhaps "web server"
and definitely "domain controller" templates.

Using Windows Authentication, it looks like RRAS, but it's actually IAS that
needs the certificate in the machine store - there is no real "user" for the
server side so the machine store is used.

Yeah, there is common confusion about this

L2TP can deal with a "client authentication" usage. The certs go in the
machine store.
EAP clients need a "client authentication" usage. The certs go in the user's
personal store.
EAP servers need a "server authentication" usage. The certs go in the
machine store since IAS is a service and doesn't really have an associated
"user".

You can build a cert just about any way you want, but the usual way is by
using templates. Each template has different "usages" and other properties,
so the key to getting the right cert is to request it using a compatible
template then store it in the proper store.

--
Carl DaVault (MS)
This posting is provided "AS IS" with no warranties, and confers no rights.


"Ghenov Sergiu" <Serg...@xnet.ro> wrote in message

news:O$Qmfea0CHA.2904@TK2MSFTNGP09...

0 new messages