We have a 2003 server as IAS
We have deployed 802.1 implementation for clients
Authentication method is EAP (using certificate)
When client is plugged to the switch on specific port, access to network is denied and on IAS server we get the following event.
************************************************************
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/1/2009
Time: 11:15:02 AM
User: N/A
Computer: xxx-xxx
Description:
User host/xxxx.example.com was denied access.
Fully-Qualified-User-Name = Domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Called-Station-Identifier = 00-17-5A-6A-7E-94
Calling-Station-Identifier = 00-11-43-4D-03-9E
Client-Friendly-Name = xx-xx-xx
Client-IP-Address = 10.1.25.78
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 12 01 0b 80 ...€
*******************************************************************
Since the event talks about the trusted root certificate, we checked the root CA cert in the trusted root store of client and IAS server.
Root CA certificates were present on both location
We took the serial number and thump print of certificate and matched it with actual root CA certificate and found they are same.
I checked the resultant set of policy (start >run rsop.msc) and found that the auto enrollment policy for certificates are disabled.
Checked the following registry path in IAS server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
It was empty with no certificates
We checked on the client and found we have certificates of root CA present in the same location.
Because “auto enrollment” policy was enabled for clients.
We found a KB http://support.microsoft.com/kb/295663/
We followed method 2 in the KB
Method 2: Import a certificate by using Certutil.exe
________________________________________________________
Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack. To download this tools pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en)
To import a CA certificate into the Enterprise NTAuth store, follow these steps:
1. Export the certificate of the CA to a .cer file. The following file formats are supported:
o DER encoded binary X.509 (.cer)
o Base-64 encoded X.509 (.cer)
2. At a command prompt, type the following command, and then press ENTER:
certutil -dspublish -f filename NTAuthCA
The contents of the NTAuth store are cached in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
After this we were able to see the certificate populated in the NTAuthCA registry location.
However other stores were empty
Hence we enabled “auto enrollment” on IAS server using group policy and then ran gpupdate/force
After refreshing policies for couple of times, we were able to get the policy applied on IAS server
We checked the registry location and all the stores has certificate populated.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
We got certificates for following stores
CA,Disallowed, NTAuth, Root, Trust, Trusted Publisher
Tried connecting client and this time the access was granted for user.
On ISA we have information which states that as following
*********************************************************************
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 6/2/2009
Time: 5:25:38 PM
User: N/A
Computer: computername
Description:
User host/xxx.example.com was granted access.
Fully-Qualified-User-Name = domain\computername$
NAS-IP-Address = 10.1.25.78
NAS-Identifier =
Client-Friendly-Name = xxx-xxx
Client-IP-Address = 10.1.25.78
Calling-Station-Identifier = 00-11-43-4D-03-9E
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
*********************************************************************************
Issue resolved !!!!!
