IAS EAP-TLS Certificate Error

  • Thread starter Thread starter gw
  • Start date Start date
G

gw

Hi,
I have a three tier PKI with offline root CA. We recently had to renew
the CA cert of the intermediate and the CA certs of all issuing CA's. We
have currently two issuing CA's running on two DC's /IAS which are used
to issue certs to users at two different locations. These users
authenticate via EAP-TLS at the IAS when going wireless.
After the renewal of the CA certs one of the locations works still fine.
At the other location the old users who got their cert before the change
can still log on. The new users with certs issued after the change
cannot log on. IASSAM.log shows: EAP authentication failed: The
certificate chain was issued by an untrusted authority.
The certs look just fine and the chain is correct. I already renewed the
computer cert for the IAS.
Any hint is appreciated
regards
GW
 
gweisz-spam@init-ka- said:
ier PKI with offline root CA. We recently had to renew
the CA cert of the intermediate and the CA certs of all issuing CA's. We
have currently two issuing CA's running on two DC's /IAS which are used
to issue certs to users at two different locations. These users
authenticate via EAP-TLS at the IAS when going wireless.
After the renewal of the CA certs one of the locations works still fine.
At the other location the old users who got their cert before the change
can still log on. The new users with certs issued after the change
cannot log on. IASSAM.log shows: EAP authentication failed: The
certificate chain was issued by an untrusted authority.
The certs look just fine and the chain is correct. I already renewed the
computer cert for the IAS.
Any hint is appreciated
Click to expand...
What operating system are the client comptuers running?
Do they have the MS04-11 patch applied?

Brian
 
The clients run Windows XP embedded SP1 :-)
Günter
Click to expand...
It sounds like you are having CRL or CA certificate retrieval problems.
Your best course of action is to test the certificates (old and new) by
exporting the certificates (base64 or DER), and then running
certutil -verify -urlfetch (CertificateFileName)

and check the output. You may find they are unable to download the
necessary certs. Also, when you renewed the root CA intermediate certs,
did you republish to AD the renewed cert

certutil -dspublish (CACertificateFileName) SubCA ==> For Sub Cas
certutil -dspublish (CACertificateFileName) RootCA ==> For Root Cas

Brian
 
Hi
thank you Brian.
The root CA cert has not been renewed. Only the intermediate CA cert, since
the root cert lifetime has been extended during installation, but we missed
to extend lifetime for issued certs on the root CA initially, it was left at
default. So we had to renew the intermediate CA cert and all issuing CA
certs after less than two years.
So this means there is no need to republish the root CA cert to AD.
But I did not rebublish the intermediate CA cert to AD.
If this would be the problem, why is the second location working then?
I tried certutil -dspublish, but dspublish is not a valid option with
windows 2000 certutil.
Günter

The clients run Windows XP embedded SP1 :-)
Günter
Click to expand...
It sounds like you are having CRL or CA certificate retrieval problems.
Your best course of action is to test the certificates (old and new) by
exporting the certificates (base64 or DER), and then running
certutil -verify -urlfetch (CertificateFileName)

and check the output. You may find they are unable to download the
necessary certs. Also, when you renewed the root CA intermediate certs,
did you republish to AD the renewed cert

certutil -dspublish (CACertificateFileName) SubCA ==> For Sub Cas
certutil -dspublish (CACertificateFileName) RootCA ==> For Root Cas

Brian
 
Back
Top