Certificate Services for VPN Access

[Richard]

I have setup a RRAS VPN server and it works for PPTP
connections. I setup Certificate Services for L2TP
connections. I have issued certificate for the server
and the remote user. I get errors that state the client
does not have a valid certificate and also that the
server certificate is invalid as well. I used the MS
white papers to alter the connection to use a shared
secret for L2TP and that works. For some reason the
certificates will not. My CA is an Enterprise Root and I
have checked to make sure that it is in the Cert
Publishers security group and that it is listed in
Directory Services as a CA.

Any ideas?

-Richard

 

[Vadxov]

It sounds like you're trying to accomplish client
authentication... yes? Remember, there a 4 methods of
authenticating the client - anonymous, basic, NT challange-
response, and SSL.
Anonymous - all clients are simply considered
authenticated.
Basic - users attempting to gain access to the resources
enter their username/pwd in the dialog box rendered by the
browser.
NT challange-response - authentication without requiring
actual passwords being transmitted across the network -
the browser uses cryptography to "prove its knowledge" of
the current users login/pwd.
SSL - based on public-key cryptography in which the users
client certificate is used to verify identity. BINGO!

Authentication takes place when the users private key
information is presented for authentication against the
public key information stored on the server... Do you
have the users key information installed on the server and
does the session know where to find them?

Also the advantage of this method is that you do not need
to setup individual accounts for each user attempting
access - multiple certificates can be mapped to one
account. Check account association also.

Hope this helps...