PEAP-MS-CHAP v2 Certificate Problem

  • Thread starter Thread starter Taylor Sbicca
  • Start date Start date
T

Taylor Sbicca

I'm been having a major problem in creating a certificate that is
compatible with PEAP-MS-CHAP V2 for Radius authentication. I'm
running a Stand Alone CA on a w2k server that is on a network without a
domain controller. I've been getting the infamous "A certificate
could not be found that can be used with this Extensible Authentication
Protocol" error while trying to configure my Remote Access policies
to use PEAP.

I've scoured the web and Usenet to find a solution and have tried
everything that has been suggested to no avail. I generate my own
certificates 1024 bit server authentication certificates using MS RSA
SChannel Cryptographic provider. I've taken that certificate and
placed it in my local machine/personal folder. I made sure my CA is a
trusted authority. Yet despite all this I keep getting the "A
certificate could not be found that can be used with this Extensible
Authentication Protocol" error. Any help would be greatly
appreciated.
 
Taylor,

Try the following:

Make sure that the correct key option parameters are configured in the server authentication
certificate. To do this, follow these steps:



1. Start Microsoft Internet Explorer.

2. On the Address bar, type "http://<Local Host>/CertSrv" (without the quotation marks). Click
"Go".

3. On the Welcome page, click "Request a certificate" under "Select a task".

4. On the Request a Certificate page, click "Advanced certificate request".

5. On the Advanced Certificate Request page, click "Create and submit a request to this CA".

6. Make sure that the correct parameters are configured under "Key Options". To do this,
follow these steps:

a. Click "Create New key set".
b. In the "CSP" box, click "Microsoft RSA SChannel Cryptographic Provider".
c. In the "Key Size" box, type "1024" (without the quotation marks).
d. Click "Automatic key container name".
e. Click to select the "Store Certificate in the local computer certificate store" check box.
f. Click "Submit".

HTH,
Gary

--------------------
'--'From: "Taylor Sbicca" <[email protected]>
'--'Newsgroups: microsoft.public.win2000.networking
'--'Subject: PEAP-MS-CHAP v2 Certificate Problem
'--'Date: 29 Dec 2004 17:01:17 -0800
'--'Organization: http://groups.google.com
'--'Lines: 18
'--'Message-ID: <[email protected]>
'--'NNTP-Posting-Host: 70.58.78.21
'--'Mime-Version: 1.0
'--'Content-Type: text/plain; charset="iso-8859-1"
'--'X-Trace: posting.google.com 1104368482 29728 127.0.0.1 (30 Dec 2004 01:01:22 GMT)
'--'X-Complaints-To: (e-mail address removed)
'--'NNTP-Posting-Date: Thu, 30 Dec 2004 01:01:22 +0000 (UTC)
'--'User-Agent: G2/0.2
'--'Complaints-To: (e-mail address removed)
'--'Injection-Info: f14g2000cwb.googlegroups.com; posting-host=70.58.78.21;
'--' posting-account=tNYjcA0AAACQt_T4PC3bfZl-d5VxVS93
'--'Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXS01.phx.gbl!cpmsftngxa06.phx.gbl!
TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!
postnews.google.com!f14g2000cwb.googlegroups.com!not-for-mail
'--'Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.networking:76821
'--'X-Tomcat-NG: microsoft.public.win2000.networking
'--'
'--'I'm been having a major problem in creating a certificate that is
'--'compatible with PEAP-MS-CHAP V2 for Radius authentication. I'm
'--'running a Stand Alone CA on a w2k server that is on a network without a
'--'domain controller. I've been getting the infamous "A certificate
'--'could not be found that can be used with this Extensible Authentication
'--'Protocol" error while trying to configure my Remote Access policies
'--'to use PEAP.
'--'
'--'I've scoured the web and Usenet to find a solution and have tried
'--'everything that has been suggested to no avail. I generate my own
'--'certificates 1024 bit server authentication certificates using MS RSA
'--'SChannel Cryptographic provider. I've taken that certificate and
'--'placed it in my local machine/personal folder. I made sure my CA is a
'--'trusted authority. Yet despite all this I keep getting the "A
'--'certificate could not be found that can be used with this Extensible
'--'Authentication Protocol" error. Any help would be greatly
'--'appreciated.
'--'
'--'


This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best
directed to the newsgroup/thread from which they originated.
 
Hi Gary,

All the certificates that I have been using in the past were configured
like you suggested. None the less I tried it again but was
unsuccessful. From everything I've read on Usenet and the web it seems
that I have the certificates configured correctly. Perhaps the problem
lies in how I'm moving my issued certificates into the local machine's
personal certificate store. I'll explain how I've been doing it and
maybe you can tell me if I'm going about this all wrong.

After I request a certificate using the web interface I go to the
certificate authority in the console. I issue the certificate and then
double click on the issued certificate. I then click on the details
tab, and the copy to file button. I have the option to save the
certificate as a DER encoded binary (.CER), a Base 64 encoded binary
(.CER), or a .P7B. The option to save the certificate as a PFX is
grayed out so I can't choose it. I then save the certificate to my
certificate folder. Next in the console I go to personal folder in my
local certificate store and import the certificate which I just
exported.

Is this the correct method for getting the certificates I've created
into the personal folder? I've tried using the web interface to do it
but when I check my pending requests from the server it says I have no
requests pending. (The strangest part is that when I request a
certificate from another machine it will show me pending requests and I
can install the certificate through the web interface) Any thoughts
you have that might help would be greatly appreciated.
 
A .cer file only contains the public key and not the private key which is
why it is not working. Your web browser must have cookies enabled to
retrieve the pending request I believe and it may help to include the
certificate "website" in your trusted web content zone and also retrieve it
from the same computer as the same user that you made the request from. If
all that fails you can request the certificate from another machine where it
does work. When you do the request make sure to enter then name of the
computer you are using for IAS and check to make the private keys
exportable. Then you would have to go into the personal computer store on
the computer where the request/issuance was successful and export it and the
private keys to a .pfx file which you will have to password protect. Move
the .pfx file to your IAS server, open the mmc snapin for computer store and
from the personal folder select import and browse to the .pfx file you
created to import it. I would then delete the certificate on the original
computer where it was installed. --- Steve
 
Back
Top