Validate Certificates

[Don Jones]

Looking for a way to validate Machine certificate(s) and
root certificate. Trying to implement RAS using L2TP,
and getting Error 786 no valid machine certificate
found. In looking at the local machine root store, the
CA certificate is there. Under the local machine
personal, the machine certificate is there. It says its
valid and indicates there is a private key under the
general tab. The client is Windows XP SP1, and the
Servier is Windows 2000 SP4.

Thanks.

Don Jones

 

[Joe Wu [MSFT]]

Dear Don,

Thank you for your post.

My understanding is that the error message (Error 786 no valid machine
certificate found) occurs on the client when dialing to the server. Is it
correct?

Please check the following in the Certificate Snap-in window:

1. Under both "Certificates - Current User"\"Trusted Root Certification
Authorities" and "Certificates (Local Computer)"\"Trusted Root
Certification Authorities", please check whether the CA certificate exists.
2. Under "Certificates (Local Computer)"\Personal, please double-click the
machine certificate. On the Detail tab, please check the "Enhanced Key
Usage" item and let me know the content.

In the meantime, please let me know the following:

3. How many clients were affected by this problem (only this Windows XP SP1
client)?
4. Please post a screen shot of the error message.

Thank you for your time and efforts. I look forward to hearing from you.

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Don Jones" <[email protected]>
|Sender: "Don Jones" <[email protected]>
|Subject: Validate Certificates
|Date: Tue, 14 Oct 2003 17:07:58 -0700
|Lines: 13
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcOSsGPhSRtXnormRCKRU+yhG+d7OQ==
|Newsgroups: microsoft.public.win2000.ras_routing
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:8078
|NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|
|Looking for a way to validate Machine certificate(s) and
|root certificate. Trying to implement RAS using L2TP,
|and getting Error 786 no valid machine certificate
|found. In looking at the local machine root store, the
|CA certificate is there. Under the local machine
|personal, the machine certificate is there. It says its
|valid and indicates there is a private key under the
|general tab. The client is Windows XP SP1, and the
|Servier is Windows 2000 SP4.
|
|Thanks.
|
|Don Jones
|

 

[Don Jones]

Thanks for the reply. Below is the contents of the
enhanced key:

Server Authentication (1.3.6.1.5.5.7.3.1)

Both the user and computer account have a root
certificate for the CA.

The CA is an Enterprise CA.

Don Jones

All users are affected and all are Windows XP SP1.

 

[Joe Wu [MSFT]]

Dear Don,

Thank you for your information. Could you let me know whether or not this
problem only occurs on this Windows XP client? This information if very
important because our next action plan (including troubleshooting steps and
information collection) depends on it.

In addition, please go to the RAS server and browse to "Certificates (Local
Computer)"\Personal. How many certificates are there?

Thank you for your time and efforts!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Don Jones" <[email protected]>
|Sender: "Don Jones" <[email protected]>
|References: <[email protected]>
<j#[email protected]>
|Subject: RE: Validate Certificates
|Date: Thu, 16 Oct 2003 14:08:20 -0700
|Lines: 105
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcOUKaBmKdW4DTU1QDOcjKzz8l+rhQ==
|Newsgroups: microsoft.public.win2000.ras_routing
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:8140
|NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|
|Thanks for the reply. Below is the contents of the
|enhanced key:
|
|Server Authentication (1.3.6.1.5.5.7.3.1)
|
|Both the user and computer account have a root
|certificate for the CA.
|
|The CA is an Enterprise CA.
|
|Don Jones
|
|All users are affected and all are Windows XP SP1.
|>-----Original Message-----
|>Dear Don,
|>
|>Thank you for your post.
|>
|>My understanding is that the error message (Error 786 no
|valid machine
|>certificate found) occurs on the client when dialing to
|the server. Is it
|>correct?
|>
|>Please check the following in the Certificate Snap-in
|window:
|>
|>1. Under both "Certificates - Current User"\"Trusted
|Root Certification
|>Authorities" and "Certificates (Local
|Computer)"\"Trusted Root
|>Certification Authorities", please check whether the CA
|certificate exists.
|>2. Under "Certificates (Local Computer)"\Personal,
|please double-click the
|>machine certificate. On the Detail tab, please check
|the "Enhanced Key
|>Usage" item and let me know the content.
|>
|>In the meantime, please let me know the following:
|>
|>3. How many clients were affected by this problem (only
|this Windows XP SP1
|>client)?
|>4. Please post a screen shot of the error message.
|>
|>Thank you for your time and efforts. I look forward to
|hearing from you.
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "Don Jones" <[email protected]>
|>|Sender: "Don Jones" <[email protected]>
|>|Subject: Validate Certificates
|>|Date: Tue, 14 Oct 2003 17:07:58 -0700
|>|Lines: 13
|>|Message-ID: <[email protected]>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Thread-Index: AcOSsGPhSRtXnormRCKRU+yhG+d7OQ==
|>|Newsgroups: microsoft.public.win2000.ras_routing
|>|Path: cpmsftngxa06.phx.gbl
|>|Xref: cpmsftngxa06.phx.gbl
|microsoft.public.win2000.ras_routing:8078
|>|NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
|>|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|>|
|>|Looking for a way to validate Machine certificate(s)
|and
|>|root certificate. Trying to implement RAS using L2TP,
|>|and getting Error 786 no valid machine certificate
|>|found. In looking at the local machine root store, the
|>|CA certificate is there. Under the local machine
|>|personal, the machine certificate is there. It says
|its
|>|valid and indicates there is a private key under the
|>|general tab. The client is Windows XP SP1, and the
|>|Servier is Windows 2000 SP4.
|>|
|>|Thanks.
|>|
|>|Don Jones
|>|
|>
|>.
|>
|

 

[Don Jones]

The problem happens on W2K Pro and WinXP Pro.

There are two certificates in the Computer Personal
datastore. One for the Computer, and the second one is
the CA certificate.

Don Jones

 

[Joe Wu [MSFT]]

Dear Don,

Thank you for your reply.

However, I am still a little unclear. Is there any client where the end
users can connect to the RAS server correctly? Please let me know the
approximate number of correct and problematic clients, and what operating
systems are running on these clients. This information can help us narrow
down the problem's scope and we need to confirm it in order to begin
designing the next troubleshooting steps.

Thank you for your cooperation!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Don Jones" <[email protected]>
|Sender: "Don Jones" <[email protected]>
|References: <[email protected]>
<j#[email protected]>
<[email protected]>
<yP#[email protected]>
|Subject: RE: Validate Certificates
|Date: Fri, 17 Oct 2003 10:29:45 -0700
|Lines: 176
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Thread-Index: AcOU1EGyOd33QfHTThC/tUv+9DBjzg==
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Newsgroups: microsoft.public.win2000.ras_routing
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:8160
|NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|
|The problem happens on W2K Pro and WinXP Pro.
|
|There are two certificates in the Computer Personal
|datastore. One for the Computer, and the second one is
|the CA certificate.
|
|Don Jones
|>-----Original Message-----
|>Dear Don,
|>
|>Thank you for your information. Could you let me know
|whether or not this
|>problem only occurs on this Windows XP client? This
|information if very
|>important because our next action plan (including
|troubleshooting steps and
|>information collection) depends on it.
|>
|>In addition, please go to the RAS server and browse
|to "Certificates (Local
|>Computer)"\Personal. How many certificates are there?
|>
|>Thank you for your time and efforts!
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "Don Jones" <[email protected]>
|>|Sender: "Don Jones" <[email protected]>
|>|References: <[email protected]>
|><j#[email protected]>
|>|Subject: RE: Validate Certificates
|>|Date: Thu, 16 Oct 2003 14:08:20 -0700
|>|Lines: 105
|>|Message-ID: <[email protected]>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Thread-Index: AcOUKaBmKdW4DTU1QDOcjKzz8l+rhQ==
|>|Newsgroups: microsoft.public.win2000.ras_routing
|>|Path: cpmsftngxa06.phx.gbl
|>|Xref: cpmsftngxa06.phx.gbl
|microsoft.public.win2000.ras_routing:8140
|>|NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
|>|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|>|
|>|Thanks for the reply. Below is the contents of the
|>|enhanced key:
|>|
|>|Server Authentication (1.3.6.1.5.5.7.3.1)
|>|
|>|Both the user and computer account have a root
|>|certificate for the CA.
|>|
|>|The CA is an Enterprise CA.
|>|
|>|Don Jones
|>|
|>|All users are affected and all are Windows XP SP1.
|>|>-----Original Message-----
|>|>Dear Don,
|>|>
|>|>Thank you for your post.
|>|>
|>|>My understanding is that the error message (Error 786
|no
|>|valid machine
|>|>certificate found) occurs on the client when dialing to
|>|the server. Is it
|>|>correct?
|>|>
|>|>Please check the following in the Certificate Snap-in
|>|window:
|>|>
|>|>1. Under both "Certificates - Current User"\"Trusted
|>|Root Certification
|>|>Authorities" and "Certificates (Local
|>|Computer)"\"Trusted Root
|>|>Certification Authorities", please check whether the CA
|>|certificate exists.
|>|>2. Under "Certificates (Local Computer)"\Personal,
|>|please double-click the
|>|>machine certificate. On the Detail tab, please check
|>|the "Enhanced Key
|>|>Usage" item and let me know the content.
|>|>
|>|>In the meantime, please let me know the following:
|>|>
|>|>3. How many clients were affected by this problem (only
|>|this Windows XP SP1
|>|>client)?
|>|>4. Please post a screen shot of the error message.
|>|>
|>|>Thank you for your time and efforts. I look forward to
|>|hearing from you.
|>|>
|>|>Regards,
|>|>Joe Wu
|>|>Product Support Services
|>|>Microsoft Corporation
|>|>
|>|>Get Secure! - www.microsoft.com/security
|>|>
|>|>====================================================
|>|>When responding to posts, please "Reply to Group" via
|>|your newsreader so
|>|>that others may learn and benefit from your issue.
|>|>====================================================
|>|>This posting is provided "AS IS" with no warranties,
|and
|>|confers no rights.
|>|>
|>|>--------------------
|>|>|Content-Class: urn:content-classes:message
|>|>|From: "Don Jones" <[email protected]>
|>|>|Sender: "Don Jones" <[email protected]>
|>|>|Subject: Validate Certificates
|>|>|Date: Tue, 14 Oct 2003 17:07:58 -0700
|>|>|Lines: 13
|>|>|Message-ID: <[email protected]>
|>|>|MIME-Version: 1.0
|>|>|Content-Type: text/plain;
|>|>| charset="iso-8859-1"
|>|>|Content-Transfer-Encoding: 7bit
|>|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|>|X-MimeOLE: Produced By Microsoft MimeOLE
|V5.50.4910.0300
|>|>|Thread-Index: AcOSsGPhSRtXnormRCKRU+yhG+d7OQ==
|>|>|Newsgroups: microsoft.public.win2000.ras_routing
|>|>|Path: cpmsftngxa06.phx.gbl
|>|>|Xref: cpmsftngxa06.phx.gbl
|>|microsoft.public.win2000.ras_routing:8078
|>|>|NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
|>|>|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|>|>|
|>|>|Looking for a way to validate Machine certificate(s)
|>|and
|>|>|root certificate. Trying to implement RAS using L2TP,
|>|>|and getting Error 786 no valid machine certificate
|>|>|found. In looking at the local machine root store,
|the
|>|>|CA certificate is there. Under the local machine
|>|>|personal, the machine certificate is there. It says
|>|its
|>|>|valid and indicates there is a private key under the
|>|>|general tab. The client is Windows XP SP1, and the
|>|>|Servier is Windows 2000 SP4.
|>|>|
|>|>|Thanks.
|>|>|
|>|>|Don Jones
|>|>|
|>|>
|>|>.
|>|>
|>|
|>
|>.
|>
|

 

[Don Jones]

Thanks for the reply.

The certificates didnot come through. I think I figured
out the problem.

I request a certificate via W2K's Certificate Web Site,
and the only template I feel that is appropriate is Web
Server. Normally, I see computer as a template to choose
from , but I didn't see it. What causes the computer
template not to be offered? Is it the difference between
a Standalone CA v. Enterprise CA?

I decided to go in via mmc and request a certificate that
way. I was able to chose computer and it seem to work.

Is a certifiate for a Web Server to allow SSL valid for
L2TP? Why I ask, I saw a difference in the certificate:
one says: Ensures the identity of a remote computer,
while the other one says:
Proves your identity to a remote computer
Ensures the identity of a remote computer

I'll do more testing and let you know.

Thanks.

Don Jones

 

[Joe Wu [MSFT]]

Dear Don,

Thank you for your update and I am glad to know that the problem has been
resolved.

Yes, it is a difference between a Standalone CA and an Enterprise CA. For a
Standalone CA, there is no template.

Regarding the second question, when user requests a certificate from
Standalone CA, if the "Schannel Cryptographic Provider" type CSP is used,
this certificate can not be used for L2tp/IPSEC. Therefore, if the
certificate for a Web Server to allow SSL is a certificate use "Schannel
Cryptographic Provider" type CSP from a standalone CA, it is not valid for
L2TP.

I would also like to thank you for your time and efforts in cooperating
with us throughout the life of this issue.

Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Don Jones" <[email protected]>
|Sender: "Don Jones" <[email protected]>
|References: <[email protected]>
<j#[email protected]>
<[email protected]>
<yP#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<v#[email protected]>
|Subject: RE: Validate Certificates
|Date: Tue, 21 Oct 2003 17:35:26 -0700
|Lines: 454
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: quoted-printable
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcOYNGNTxhFPj4rJS3GTqhcYgUdLOw==
|Newsgroups: microsoft.public.win2000.ras_routing
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:8233
|NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|
|Thanks for the reply.
|The certificates didnot come through. I think I figured
|out the problem.
|I request a certificate via W2K's Certificate Web Site,
|and the only template I feel that is appropriate is Web
|Server. Normally, I see computer as a template to choose
|from , but I didn't see it. What causes the computer
|template not to be offered? Is it the difference between
|a Standalone CA v. Enterprise CA?
|I decided to go in via mmc and request a certificate that
|way. I was able to chose computer and it seem to work.
|Is a certifiate for a Web Server to allow SSL valid for
|L2TP? Why I ask, I saw a difference in the certificate:
|one says: Ensures the identity of a remote computer,
|while the other one says:
|Proves your identity to a remote computer
|Ensures the identity of a remote computer
|I'll do more testing and let you know.
|Thanks.
|Don Jones
|>-----Original Message-----
|>Dear Don,
|>
|>Thank you for your information and continued cooperation.
|>
|>Based on the current status, I have attached several
|test certificates in
|>this post. We can use them to confirm if the problem is
|related to
|>certificates. The password of the pfx file is "1".
|>
|>The following are our test steps:
|>
|>1. ON VPN Client
|>
|>(1) Under "Certificates (Local Computer)"\Personal,
|import the
|>"USERAdministrator.pfx" file.
|>(2) Under "Certificates (Local Computer)"\"Trusted Root
|Certification
|>Authorities" imports the "rootca.cer" file.
|>(£³) Under "Certificates (Current User)"\"Trusted Root
|Certification
|>Authorities" imports the "rootca.cer" file.
|>
|>Please confirm the following:
|>
|>(£±) Under "Certificates (Local Computer)"\Personal,
|the "Administrator"
|>VPN Client machine certificate exists.
|>(2) Under "Certificates (Local Computer)"\"Trusted Root
|Certification
|>Authorities" the "Enterprise VPN CA" CA certificate
|exists.
|>(£³) Under "Certificates - Current User"\"Trusted Root
|Certification
|>Authorities" the "Enterprise VPN CA" CA certificate
|exists.
|>
|>2. ON RRAS Server
|>
|>(1) Under "Certificates (Local Computer)"\Personal,
|import the
|>"EVPNSERVER.pfx" file.
|>(2) Under "Certificates (Local Computer)"\"Trusted Root
|Certification
|>Authorities" import the "rootca.cer" file.
|>(£³) Under "Certificates (Current User)"\"Trusted Root
|Certification
|>Authorities" import the "rootca.cer" file.
|>
|>Please confirm the following:
|>
|>(£±) Under "Certificates (Local Computer)"\Personal,
|the "Enterprise VPN
|>Server" certificate exists and no other certificate
|exists.
|>(2) Under "Certificates (Local Computer)"\"Trusted Root
|Certification
|>Authorities" the "Enterprise VPN CA" CA certificate
|exists.
|>(£³) Under "Certificates - Current User"\"Trusted Root
|Certification
|>Authorities" the "Enterprise VPN CA" CA certificate
|exists.
|>(4) Restart the RRAS service.
|>
|>3. Test the L2TP Connection
|>
|>By the way, it does not matter whether the installed CA
|is an Enterprise CA
|>or a standalone CA.
|>
|>I look forward to hearing from you. Thanks!
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "Don Jones" <[email protected]>
|>|Sender: "Don Jones" <[email protected]>
|>|References: <[email protected]>
|><j#[email protected]>
|><[email protected]>
|><yP#[email protected]>
|><[email protected]>
|><[email protected]>
|>|Subject: RE: Validate Certificates
|>|Date: Mon, 20 Oct 2003 09:38:25 -0700
|>|Lines: 262
|>|Message-ID: <[email protected]>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|Thread-Index: AcOXKJVf1XOKRWbtRO6h/APwGU0VkA==
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Newsgroups: microsoft.public.win2000.ras_routing
|>|Path: cpmsftngxa06.phx.gbl
|>|Xref: cpmsftngxa06.phx.gbl
|microsoft.public.win2000.ras_routing:8199
|>|NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
|>|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|>|
|>|No user can connect to the RAS server using L2TP.
|>|
|>|Do you have a guideline on which certificates the
|machines
|>|should get? When I request a certificate through the
|web
|>|site, I have an option for the Web Server, and nothing
|>|specifically referencing a "machine certificate". What
|>|type of certificates are issued from a Enterprise CA,
|>|should these certificates be "machine certificates" and
|>|they should be ok with L2TP, correct?
|>|
|>|Would it be worth while to remove the Enterprise CA,
|and
|>|go for a standalone CA?
|>|
|>|Don Jones
|>|
|>|>-----Original Message-----
|>|>Dear Don,
|>|>
|>|>Thank you for your reply.
|>|>
|>|>However, I am still a little unclear. Is there any
|client
|>|where the end
|>|>users can connect to the RAS server correctly? Please
|let
|>|me know the
|>|>approximate number of correct and problematic clients,
|>|and what operating
|>|>systems are running on these clients. This information
|>|can help us narrow
|>|>down the problem's scope and we need to confirm it in
|>|order to begin
|>|>designing the next troubleshooting steps.
|>|>
|>|>Thank you for your cooperation!
|>|>
|>|>Regards,
|>|>Joe Wu
|>|>Product Support Services
|>|>Microsoft Corporation
|>|>
|>|>Get Secure! - www.microsoft.com/security
|>|>
|>|>====================================================
|>|>When responding to posts, please "Reply to Group" via
|>|your newsreader so
|>|>that others may learn and benefit from your issue.
|>|>====================================================
|>|>This posting is provided "AS IS" with no warranties,
|and
|>|confers no rights.
|>|>
|>|>--------------------
|>|>|Content-Class: urn:content-classes:message
|>|>|From: "Don Jones" <[email protected]>
|>|>|Sender: "Don Jones" <[email protected]>
|>|>|References: <[email protected]>
|>|><j#[email protected]>
|>|><[email protected]>
|>|><yP#[email protected]>
|>|>|Subject: RE: Validate Certificates
|>|>|Date: Fri, 17 Oct 2003 10:29:45 -0700
|>|>|Lines: 176
|>|>|Message-ID: <[email protected]>
|>|>|MIME-Version: 1.0
|>|>|Content-Type: text/plain;
|>|>| charset="iso-8859-1"
|>|>|Content-Transfer-Encoding: 7bit
|>|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|>|Thread-Index: AcOU1EGyOd33QfHTThC/tUv+9DBjzg==
|>|>|X-MimeOLE: Produced By Microsoft MimeOLE
|V5.50.4910.0300
|>|>|Newsgroups: microsoft.public.win2000.ras_routing
|>|>|Path: cpmsftngxa06.phx.gbl
|>|>|Xref: cpmsftngxa06.phx.gbl
|>|microsoft.public.win2000.ras_routing:8160
|>|>|NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
|>|>|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|>|>|
|>|>|The problem happens on W2K Pro and WinXP Pro.
|>|>|
|>|>|There are two certificates in the Computer Personal
|>|>|datastore. One for the Computer, and the second one
|is
|>|>|the CA certificate.
|>|>|
|>|>|Don Jones
|>|>|>-----Original Message-----
|>|>|>Dear Don,
|>|>|>
|>|>|>Thank you for your information. Could you let me
|know
|>|>|whether or not this
|>|>|>problem only occurs on this Windows XP client? This
|>|>|information if very
|>|>|>important because our next action plan (including
|>|>|troubleshooting steps and
|>|>|>information collection) depends on it.
|>|>|>
|>|>|>In addition, please go to the RAS server and browse
|>|>|to "Certificates (Local
|>|>|>Computer)"\Personal. How many certificates are there?
|>|>|>
|>|>|>Thank you for your time and efforts!
|>|>|>
|>|>|>Regards,
|>|>|>Joe Wu
|>|>|>Product Support Services
|>|>|>Microsoft Corporation
|>|>|>
|>|>|>Get Secure! - www.microsoft.com/security
|>|>|>
|>|>|>====================================================
|>|>|>When responding to posts, please "Reply to Group"
|via
|>|>|your newsreader so
|>|>|>that others may learn and benefit from your issue.
|>|>|>====================================================
|>|>|>This posting is provided "AS IS" with no warranties,
|>|and
|>|>|confers no rights.
|>|>|>
|>|>|>--------------------
|>|>|>|Content-Class: urn:content-classes:message
|>|>|>|From: "Don Jones" <[email protected]>
|>|>|>|Sender: "Don Jones" <[email protected]>
|>|>|>|References: <073001c392b0$63e1fd00
|[email protected]>
|>|>|><j#[email protected]>
|>|>|>|Subject: RE: Validate Certificates
|>|>|>|Date: Thu, 16 Oct 2003 14:08:20 -0700
|>|>|>|Lines: 105
|>|>|>|Message-ID: <[email protected]>
|>|>|>|MIME-Version: 1.0
|>|>|>|Content-Type: text/plain;
|>|>|>| charset="iso-8859-1"
|>|>|>|Content-Transfer-Encoding: 7bit
|>|>|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|>|>|X-MimeOLE: Produced By Microsoft MimeOLE
|>|V5.50.4910.0300
|>|>|>|Thread-Index: AcOUKaBmKdW4DTU1QDOcjKzz8l+rhQ==
|>|>|>|Newsgroups: microsoft.public.win2000.ras_routing
|>|>|>|Path: cpmsftngxa06.phx.gbl
|>|>|>|Xref: cpmsftngxa06.phx.gbl
|>|>|microsoft.public.win2000.ras_routing:8140
|>|>|>|NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
|>|>|>|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|>|>|>|
|>|>|>|Thanks for the reply. Below is the contents of the
|>|>|>|enhanced key:
|>|>|>|
|>|>|>|Server Authentication (1.3.6.1.5.5.7.3.1)
|>|>|>|
|>|>|>|Both the user and computer account have a root
|>|>|>|certificate for the CA.
|>|>|>|
|>|>|>|The CA is an Enterprise CA.
|>|>|>|
|>|>|>|Don Jones
|>|>|>|
|>|>|>|All users are affected and all are Windows XP SP1.
|>|>|>|>-----Original Message-----
|>|>|>|>Dear Don,
|>|>|>|>
|>|>|>|>Thank you for your post.
|>|>|>|>
|>|>|>|>My understanding is that the error message (Error
|786
|>|>|no
|>|>|>|valid machine
|>|>|>|>certificate found) occurs on the client when
|dialing
|>|to
|>|>|>|the server. Is it
|>|>|>|>correct?
|>|>|>|>
|>|>|>|>Please check the following in the Certificate Snap-
|in
|>|>|>|window:
|>|>|>|>
|>|>|>|>1. Under both "Certificates - Current
|User"\"Trusted
|>|>|>|Root Certification
|>|>|>|>Authorities" and "Certificates (Local
|>|>|>|Computer)"\"Trusted Root
|>|>|>|>Certification Authorities", please check whether
|the
|>|CA
|>|>|>|certificate exists.
|>|>|>|>2. Under "Certificates (Local Computer)"\Personal,
|>|>|>|please double-click the
|>|>|>|>machine certificate. On the Detail tab, please
|check
|>|>|>|the "Enhanced Key
|>|>|>|>Usage" item and let me know the content.
|>|>|>|>
|>|>|>|>In the meantime, please let me know the following:
|>|>|>|>
|>|>|>|>3. How many clients were affected by this problem
|>|(only
|>|>|>|this Windows XP SP1
|>|>|>|>client)?
|>|>|>|>4. Please post a screen shot of the error message.
|>|>|>|>
|>|>|>|>Thank you for your time and efforts. I look
|forward
|>|to
|>|>|>|hearing from you.
|>|>|>|>
|>|>|>|>Regards,
|>|>|>|>Joe Wu
|>|>|>|>Product Support Services
|>|>|>|>Microsoft Corporation
|>|>|>|>
|>|>|>|>Get Secure! - www.microsoft.com/security
|>|>|>|>
|>|>|>|>===================================================
|=
|>|>|>|>When responding to posts, please "Reply to Group"
|via
|>|>|>|your newsreader so
|>|>|>|>that others may learn and benefit from your issue.
|>|>|>|>===================================================
|=
|>|>|>|>This posting is provided "AS IS" with no
|warranties,
|>|>|and
|>|>|>|confers no rights.
|>|>|>|>
|>|>|>|>--------------------
|>|>|>|>|Content-Class: urn:content-classes:message
|>|>|>|>|From: "Don Jones" <[email protected]>
|>|>|>|>|Sender: "Don Jones" <[email protected]>
|>|>|>|>|Subject: Validate Certificates
|>|>|>|>|Date: Tue, 14 Oct 2003 17:07:58 -0700
|>|>|>|>|Lines: 13
|>|>|>|>|Message-ID: <073001c392b0$63e1fd00
|[email protected]>
|>|>|>|>|MIME-Version: 1.0
|>|>|>|>|Content-Type: text/plain;
|>|>|>|>| charset="iso-8859-1"
|>|>|>|>|Content-Transfer-Encoding: 7bit
|>|>|>|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|>|>|>|X-MimeOLE: Produced By Microsoft MimeOLE
|>|>|V5.50.4910.0300
|>|>|>|>|Thread-Index: AcOSsGPhSRtXnormRCKRU+yhG+d7OQ==
|>|>|>|>|Newsgroups: microsoft.public.win2000.ras_routing
|>|>|>|>|Path: cpmsftngxa06.phx.gbl
|>|>|>|>|Xref: cpmsftngxa06.phx.gbl
|>|>|>|microsoft.public.win2000.ras_routing:8078
|>|>|>|>|NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
|>|>|>|>|X-Tomcat-NG: microsoft.public.win2000.ras_routing
|>|>|>|>|
|>|>|>|>|Looking for a way to validate Machine certificate
|(s)
|>|>|>|and
|>|>|>|>|root certificate. Trying to implement RAS using
|>|L2TP,
|>|>|>|>|and getting Error 786 no valid machine
|certificate
|>|>|>|>|found. In looking at the local machine root
|store,
|>|>|the
|>|>|>|>|CA certificate is there. Under the local machine
|>|>|>|>|personal, the machine certificate is there. It
|says
|>|>|>|its
|>|>|>|>|valid and indicates there is a private key under
|the
|>|>|>|>|general tab. The client is Windows XP SP1, and
|the
|>|>|>|>|Servier is Windows 2000 SP4.
|>|>|>|>|
|>|>|>|>|Thanks.
|>|>|>|>|
|>|>|>|>|Don Jones
|>|>|>|>|
|>|>|>|>
|>|>|>|>.
|>|>|>|>
|>|>|>|
|>|>|>
|>|>|>.
|>|>|>
|>|>|
|>|>
|>|>.
|>|>
|>|
|