Thursday, September 10, 2009
script to recreate sysvolsysvol
********************************************************************************
Const HKEY_LOCAL_MACHINE = &H80000002
On Error Resume Next
WScript.Echo "Stopping the File Replication Service"
Set objWMINameSpace = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/CIMV2")
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
Set WSHShell = CreateObject("WScript.Shell")
Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/default:StdRegProv")
Set objMethod = objRegistry.Methods_("ENUMKEY")
Set objInParam = objMethod.inParameters.SpawnInstance_()
objInParam.hDefKey = HKEY_LOCAL_MACHINE
objInParam.sSubKeyName = "SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets"
Set objOutParam = objRegistry.ExecMethod_("ENUMKEY", objInParam)
Set objSubKeys = objOutParam.Properties_("sNames")
For i = 0 To UBound(objSubKeys)
intTomb = 1
strSetName = ""
intTomb = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned")
strSetName = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Name")
If intTomb = 0 AND strSetName = "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Then
DelADobj(objSubKeys.Value(i))
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
if LCase(srvcInstance.state) = "stopped" Then Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Exit For
wscript.sleep (k * 100)
Next
For j = 1 to 60
If WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned") = 1 Then Exit For
wscript.sleep (j * 500)
Next
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
End If
Next
Set ADInfo = CreateObject("AdSystemInfo")
strDNSDomain = ADInfo.DomainDNSName
strSysvol = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\Sysvol")
strSysvol = Left(strSysvol, Len(strSysvol)-7)
strSysvolRoot = strSysvol & "\domain"
strSysvolStage = strSysvol & "\staging\domain"
intPrimary = 1
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Command", "Create", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Name", strDNSDomain, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Type", "Domain", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Primary", intPrimary, "REG_DWORD"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Root", strSysvolRoot, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Stage", strSysvolStage, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\SysVol Information is Committed", 1, "REG_DWORD"
wscript.echo "Starting FRS service"
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
wscript.echo "Script has completed"
Sub DelADobj(strGUID)
If Err.Number <> 0 Then Err.Clear
Set objADRepSet = GetObject("LDAP://LOCALHOST/")
If Err.Number <> 0 Then
WScript.Echo "Could not bind to GUID=" & Left(strGUID,23) & "-" & Right(strGUID, 12)
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
Set objADRepSet = GetObject("LDAP://LOCALHOST/" & objADRepSet.distinguishedName)
If Err.Number <> 0 Then
WScript.Echo "Could not bind to nTFRSMember object with DN= " & objADRepSet.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
If objADRepSet.fRSMemberReferenceBL <> "" Then
Set objADSubscriber = GetObject("LDAP://LOCALHOST/" & objADRepSet.fRSMemberReferenceBL)
If Err.Number = 0 Then
objADSubscriber.DeleteObject(0)
Else
WScript.Echo "Could not bind to nTFRSSubscriber object with DN= " & objADSubscriber.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting nTFRSSubscriber object from AD"
Err.Clear
End If
Else
WScript.Echo "No member reference to nTFRSSubscriber object"
End If
If Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSSubscriber object with error: " & Err.Number
Err.Clear
End If
objADRepSet.DeleteObject(0)
IF Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSMember object with error: " & Err.Number
Err.Clear
End If
End Sub
********************************************************************************
Const HKEY_LOCAL_MACHINE = &H80000002
On Error Resume Next
WScript.Echo "Stopping the File Replication Service"
Set objWMINameSpace = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/CIMV2")
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
Set WSHShell = CreateObject("WScript.Shell")
Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/default:StdRegProv")
Set objMethod = objRegistry.Methods_("ENUMKEY")
Set objInParam = objMethod.inParameters.SpawnInstance_()
objInParam.hDefKey = HKEY_LOCAL_MACHINE
objInParam.sSubKeyName = "SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets"
Set objOutParam = objRegistry.ExecMethod_("ENUMKEY", objInParam)
Set objSubKeys = objOutParam.Properties_("sNames")
For i = 0 To UBound(objSubKeys)
intTomb = 1
strSetName = ""
intTomb = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned")
strSetName = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Name")
If intTomb = 0 AND strSetName = "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Then
DelADobj(objSubKeys.Value(i))
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
if LCase(srvcInstance.state) = "stopped" Then Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Exit For
wscript.sleep (k * 100)
Next
For j = 1 to 60
If WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned") = 1 Then Exit For
wscript.sleep (j * 500)
Next
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
Next
End If
Next
Set ADInfo = CreateObject("AdSystemInfo")
strDNSDomain = ADInfo.DomainDNSName
strSysvol = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\Sysvol")
strSysvol = Left(strSysvol, Len(strSysvol)-7)
strSysvolRoot = strSysvol & "\domain"
strSysvolStage = strSysvol & "\staging\domain"
intPrimary = 1
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Command", "Create", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Name", strDNSDomain, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Type", "Domain", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Primary", intPrimary, "REG_DWORD"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Root", strSysvolRoot, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Stage", strSysvolStage, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\SysVol Information is Committed", 1, "REG_DWORD"
wscript.echo "Starting FRS service"
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
wscript.echo "Script has completed"
Sub DelADobj(strGUID)
If Err.Number <> 0 Then Err.Clear
Set objADRepSet = GetObject("LDAP://LOCALHOST/
If Err.Number <> 0 Then
WScript.Echo "Could not bind to GUID=" & Left(strGUID,23) & "-" & Right(strGUID, 12)
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
Set objADRepSet = GetObject("LDAP://LOCALHOST/" & objADRepSet.distinguishedName)
If Err.Number <> 0 Then
WScript.Echo "Could not bind to nTFRSMember object with DN= " & objADRepSet.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Err.Clear
Exit Sub
End If
If objADRepSet.fRSMemberReferenceBL <> "" Then
Set objADSubscriber = GetObject("LDAP://LOCALHOST/" & objADRepSet.fRSMemberReferenceBL)
If Err.Number = 0 Then
objADSubscriber.DeleteObject(0)
Else
WScript.Echo "Could not bind to nTFRSSubscriber object with DN= " & objADSubscriber.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting nTFRSSubscriber object from AD"
Err.Clear
End If
Else
WScript.Echo "No member reference to nTFRSSubscriber object"
End If
If Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSSubscriber object with error: " & Err.Number
Err.Clear
End If
objADRepSet.DeleteObject(0)
IF Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSMember object with error: " & Err.Number
Err.Clear
End If
End Sub
********************************************************************************
Wednesday, June 3, 2009
IAS event ID :2 (A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider)
Client connection to network using 802.1 Implementation fails with event ID 2 (IAS) (authentication EAP-Type = Smart Card or other certificate )
We have a 2003 server as IAS
We have deployed 802.1 implementation for clients
Authentication method is EAP (using certificate)
When client is plugged to the switch on specific port, access to network is denied and on IAS server we get the following event.
************************************************************
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/1/2009
Time: 11:15:02 AM
User: N/A
Computer: xxx-xxx
Description:
User host/xxxx.example.com was denied access.
Fully-Qualified-User-Name = Domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Called-Station-Identifier = 00-17-5A-6A-7E-94
Calling-Station-Identifier = 00-11-43-4D-03-9E
Client-Friendly-Name = xx-xx-xx
Client-IP-Address = 10.1.25.78
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 12 01 0b 80 ...€
*******************************************************************
Since the event talks about the trusted root certificate, we checked the root CA cert in the trusted root store of client and IAS server.
Root CA certificates were present on both location
We took the serial number and thump print of certificate and matched it with actual root CA certificate and found they are same.
I checked the resultant set of policy (start >run rsop.msc) and found that the auto enrollment policy for certificates are disabled.
Checked the following registry path in IAS server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
It was empty with no certificates
We checked on the client and found we have certificates of root CA present in the same location.
Because “auto enrollment” policy was enabled for clients.
We found a KB http://support.microsoft.com/kb/295663/
We followed method 2 in the KB
Method 2: Import a certificate by using Certutil.exe
________________________________________________________
Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack. To download this tools pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en)
To import a CA certificate into the Enterprise NTAuth store, follow these steps:
1. Export the certificate of the CA to a .cer file. The following file formats are supported:
o DER encoded binary X.509 (.cer)
o Base-64 encoded X.509 (.cer)
2. At a command prompt, type the following command, and then press ENTER:
certutil -dspublish -f filename NTAuthCA
The contents of the NTAuth store are cached in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
After this we were able to see the certificate populated in the NTAuthCA registry location.
However other stores were empty
Hence we enabled “auto enrollment” on IAS server using group policy and then ran gpupdate/force
After refreshing policies for couple of times, we were able to get the policy applied on IAS server
We checked the registry location and all the stores has certificate populated.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
We got certificates for following stores
CA,Disallowed, NTAuth, Root, Trust, Trusted Publisher
Tried connecting client and this time the access was granted for user.
On ISA we have information which states that as following
*********************************************************************
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 6/2/2009
Time: 5:25:38 PM
User: N/A
Computer: computername
Description:
User host/xxx.example.com was granted access.
Fully-Qualified-User-Name = domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Client-Friendly-Name = xxx-xxx
Client-IP-Address = 10.1.25.78
Calling-Station-Identifier = 00-11-43-4D-03-9E
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
*********************************************************************************
Issue resolved !!!!!
We have a 2003 server as IAS
We have deployed 802.1 implementation for clients
Authentication method is EAP (using certificate)
When client is plugged to the switch on specific port, access to network is denied and on IAS server we get the following event.
************************************************************
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/1/2009
Time: 11:15:02 AM
User: N/A
Computer: xxx-xxx
Description:
User host/xxxx.example.com was denied access.
Fully-Qualified-User-Name = Domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Called-Station-Identifier = 00-17-5A-6A-7E-94
Calling-Station-Identifier = 00-11-43-4D-03-9E
Client-Friendly-Name = xx-xx-xx
Client-IP-Address = 10.1.25.78
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 12 01 0b 80 ...€
*******************************************************************
Since the event talks about the trusted root certificate, we checked the root CA cert in the trusted root store of client and IAS server.
Root CA certificates were present on both location
We took the serial number and thump print of certificate and matched it with actual root CA certificate and found they are same.
I checked the resultant set of policy (start >run rsop.msc) and found that the auto enrollment policy for certificates are disabled.
Checked the following registry path in IAS server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
It was empty with no certificates
We checked on the client and found we have certificates of root CA present in the same location.
Because “auto enrollment” policy was enabled for clients.
We found a KB http://support.microsoft.com/kb/295663/
We followed method 2 in the KB
Method 2: Import a certificate by using Certutil.exe
________________________________________________________
Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack. To download this tools pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en)
To import a CA certificate into the Enterprise NTAuth store, follow these steps:
1. Export the certificate of the CA to a .cer file. The following file formats are supported:
o DER encoded binary X.509 (.cer)
o Base-64 encoded X.509 (.cer)
2. At a command prompt, type the following command, and then press ENTER:
certutil -dspublish -f filename NTAuthCA
The contents of the NTAuth store are cached in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
After this we were able to see the certificate populated in the NTAuthCA registry location.
However other stores were empty
Hence we enabled “auto enrollment” on IAS server using group policy and then ran gpupdate/force
After refreshing policies for couple of times, we were able to get the policy applied on IAS server
We checked the registry location and all the stores has certificate populated.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
We got certificates for following stores
CA,Disallowed, NTAuth, Root, Trust, Trusted Publisher
Tried connecting client and this time the access was granted for user.
On ISA we have information which states that as following
*********************************************************************
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 6/2/2009
Time: 5:25:38 PM
User: N/A
Computer: computername
Description:
User host/xxx.example.com was granted access.
Fully-Qualified-User-Name = domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Client-Friendly-Name = xxx-xxx
Client-IP-Address = 10.1.25.78
Calling-Station-Identifier = 00-11-43-4D-03-9E
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
*********************************************************************************
Issue resolved !!!!!
Subscribe to:
Posts (Atom)