By: astronomer

astronomer — Fri, 25 May 2007 11:43:33 +0000

After three and a half hours with microsoft support, here is the answer:
Go to the web site on the certificate server with the browser of the IAS server, click request certificate, click advanced certificate request, click create and submit a request for this ca. On the next page under certificate template: select “web server”. Type in something for identifying information. In the “key options” section click the check box for “store certificate in the local computer certificate store”. Click submit and then install the certificate.
Once the certificate is installed, restart the IAS service and it will see the new certificate.
After doing this, I was able to use the certificate based SSID without errors.
rt

By: astronomer

astronomer — Tue, 22 May 2007 19:34:43 +0000

I used mmc to request another certificate. Now I have two certificates listed for authentication. Still have the same error in IAS.
I’m starting to think I may have to use the same method that worked in my lab tests. In the lab, IAS had this problem and I tried removing and re-installing this service. It didn’t help.
Finally, I blew the DC, (and the domain), away. After installing the OS from scratch, I created the domain, installed IIS, installed CA, then installed IAS.
At this point it worked. I believe the issue is IAS was installed before the certificate server and knew nothing about certificates. When the certificate server was installed later, IAS didn’t know how to bind to it. When I installed IAS after the certificate server, It seamlessly incorporated the certificate which was already there.
The problem with this method is we already have IAS installed on our main domain controllers so pix VPNs can be authenticated.
I really don’t want to rebuild my domain controllers so if anyone knows how to get IAS to see the certificate, I would appreciate hearing about it.

Comments on: eap-tls failing with domain certificates and 1200 APs

By: astronomer

By: astronomer