RE: Certificate and PEAP

[Malcolm Reitz]

If you haven’t already resolved this…

 

Don’t use the DC template. What you want is the RAS and IAS Servers
template. This certificate template needs to be permissioned and configured
properly one time. You may also need to adjust your default domain policy.
Then you add your NPS server to the RAS and IAS Servers AD group and your
server will autoenroll the correct cert.

 

http://technet.microsoft.com/en-us/library/cc754198.aspx

 

-Malcolm

 

From: Jay Dale [mailto:jd...@emlogis.com] 
Sent: Saturday, August 28, 2010 10:15
To: NT System Admin Issues
Subject: RE: Certificate and PEAP

 

No one have any ideas?  This one must be a toughie – I put in on EE which
typically gets a quick response but nothing there yet either…L

 

Jay Dale
Senior Systems Administrator

o:713.785.0960 x290

 

From: Jay Dale [mailto:jd...@emlogis.com] 
Sent: Friday, August 27, 2010 9:55 AM
To: NT System Admin Issues
Subject: Certificate and PEAP

 

Hey all,

 

I’m trying to set up a Cisco Wifi Access Point on our network and use NPS
with PEAP authentication so it will connect the users via their user account
or computer account.  I’ve set up a CA on Windows Ent. 2008 64bit and gone
through all the steps on creating the GPO, setting up NPS for Wired
Authentication, etc.  However, I have one sticking point.

 

When I go into NPS and look at the properties of the network wifi policy,
then under Constraints, then PEAP and choose Edit, I get the error:

 

“A certificate could not be found that can be used with this Extensible
Authentication Protocol”.

 

So, no worries.  I go into the Certificates console, request a Domain
Controller certificate, then when I go back and edit the cert shows up and
the clients can connect fine.  Problem is, later on I lose connection and go
back and check this setting and I get the error again, meaning the cert
isn’t sticking.  Is there a way to keep this cert from getting removed and
keeping it there?

 

Thanks,

 

Jay

 


  


 


Description: Description: http://www.emlogis.com/images/image3.jpg

Jay Dale Senior Systems Administrator

P 713.785.0960 Ext 290 | F 713.785.0986 | C 832.373.7883

jd...@emlogis.com | www.emlogis.com <http://www.emlogis.com/> 

Service Desk C 877.523.5896 | E  <mailto:supp...@emlogis.com>
supp...@emlogis.com

Description: Description: http://www.emlogis.com/images/imageEmail3.jpg

This Email is covered by the Electronic Communications Privacy Act, 18
U.S.C. งง 2510-2521 and is legally privileged. The information contained in
this Email is intended only for use of the individual or entity named above.
If the reader of this message is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please immediately notify us by telephone
(toll-free) at 877-523-5896, and destroy the original message.

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
 

---
You are currently subscribed to ntsysadmin as: malcolm.re...@live.com.
To unsubscribe click here:
http://lyris.sunbelt-software.com/u?id=8227716.c81258d7c7cab9dce5605ee9468e1
a65
<http://lyris.sunbelt-software.com/u?id=8227716.c81258d7c7cab9dce5605ee9468e
1a65&n=T&l=ntsysadmin&o=9077695> &n=T&l=ntsysadmin&o=9077695
(It may be necessary to cut and paste the above URL if the line is broken)
or send a blank email to
leave-9077695-8227716.c81258d7c7cab9dce5605ee9468e1...@lyris.sunbelt-softwar
e.com


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<><>

RE: Certificate and PEAP

[Miller Bonnie L .]

Sorry—my list time is spotty these days.  Ugh, yes, we ran into this ugly 
problem—I don’t have links handy nor remember all of the details as I didn’t do 
the research on this one, but our network admin did a ton of searching and 
troubleshooting on this with our new Aruba gear (for weeks).  Seems there is 
something off with these settings working out of the box.

IIRC, the solution he finally found was that we had to implement a GPO to the 
NPS server (computer account) that disables the auto-enrollment of certs.  
Something with AD auto-enrollment doesn’t allow the correct cert to be 
enrolled.  Specifically, you set

\Computer config\Windows Settings\Security Settings\Public Key 
Policies\Certificat Services Client – Auto-Enrollment Settings
   Automatic certificate management   Disabled

After that, you can manually enroll the certificate needed via the certificates 
mmc, and then when you click on the edit button, you should have some options 
available.

That might not be the exact order, but maybe you can figure it out from there.  
I can dig further to find the referenced link, but I’m not sure I still have it.

-Bonnie

From: Jay Dale [mailto:jd...@emlogis.com]
Sent: Saturday, August 28, 2010 8:15 AM
To: NT System Admin Issues
Subject: RE: Certificate and PEAP

No one have any ideas?  This one must be a toughie – I put in on EE which 
typically gets a quick response but nothing there yet either…:(

Jay Dale
Senior Systems Administrator
o:713.785.0960 x290

From: Jay Dale [mailto:jd...@emlogis.com]
Sent: Friday, August 27, 2010 9:55 AM
To: NT System Admin Issues
Subject: Certificate and PEAP

Hey all,

I’m trying to set up a Cisco Wifi Access Point on our network and use NPS with 
PEAP authentication so it will connect the users via their user account or 
computer account.  I’ve set up a CA on Windows Ent. 2008 64bit and gone through 
all the steps on creating the GPO, setting up NPS for Wired Authentication, 
etc.  However, I have one sticking point.

When I go into NPS and look at the properties of the network wifi policy, then 
under Constraints, then PEAP and choose Edit, I get the error:

“A certificate could not be found that can be used with this Extensible 
Authentication Protocol”.

So, no worries.  I go into the Certificates console, request a Domain 
Controller certificate, then when I go back and edit the cert shows up and the 
clients can connect fine.  Problem is, later on I lose connection and go back 
and check this setting and I get the error again, meaning the cert isn’t 
sticking.  Is there a way to keep this cert from getting removed and keeping it 
there?

Thanks,

Jay





[cid:image001.jpg@01CB4A6E.FDE80390]

Jay Dale Senior Systems Administrator
P 713.785.0960 Ext 290 | F 713.785.0986 | C 832.373.7883
jd...@emlogis.com<mailto:jd...@emlogis.com> | 
www.emlogis.com<http://www.emlogis.com/>
Service Desk C 877.523.5896 | E supp...@emlogis.com<mailto:supp...@emlogis.com>
[cid:image002.jpg@01CB4A6E.FDE80390]
This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 
งง 2510-2521 and is legally privileged. The information contained in this Email 
is intended only for use of the individual or entity named above. If the reader 
of this message is not the intended recipient, or the employee or agent 
responsible to deliver it to the intended recipient, you are hereby notified 
that any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
immediately notify us by telephone (toll-free) at 877-523-5896, and destroy the 
original message.











~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


---
You are currently subscribed to ntsysadmin as: 
mille...@mukilteo.wednet.edu<mailto:mille...@mukilteo.wednet.edu>.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=3945256.a0ddc69fc46a74382f0a5f45c30db9cf&n=T&l=ntsysadmin&o=9077695
(It may be necessary to cut and paste the above URL if the line is broken)
or send a blank email to 
leave-9077695-3945256.a0ddc69fc46a74382f0a5f45c30db...@lyris.sunbelt-software.com<mailto:leave-9077695-3945256.a0ddc69fc46a74382f0a5f45c30db...@lyris.sunbelt-software.com>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<><>

RE: Certificate and PEAP

[Kelsey, John]

How did you create your DC cert?  I followed this article and it worked like a 
charm.

 

http://support.microsoft.com/kb/321051

 

From: Jay Dale [mailto:jd...@emlogis.com] 
Sent: Saturday, August 28, 2010 11:15 AM
To: NT System Admin Issues
Subject: RE: Certificate and PEAP

 

No one have any ideas?  This one must be a toughie – I put in on EE which 
typically gets a quick response but nothing there yet either…L

 

Jay Dale
Senior Systems Administrator

o:713.785.0960 x290

 

From: Jay Dale [mailto:jd...@emlogis.com] 
Sent: Friday, August 27, 2010 9:55 AM
To: NT System Admin Issues
Subject: Certificate and PEAP

 

Hey all,

 

I’m trying to set up a Cisco Wifi Access Point on our network and use NPS with 
PEAP authentication so it will connect the users via their user account or 
computer account.  I’ve set up a CA on Windows Ent. 2008 64bit and gone through 
all the steps on creating the GPO, setting up NPS for Wired Authentication, 
etc.  However, I have one sticking point.

 

When I go into NPS and look at the properties of the network wifi policy, then 
under Constraints, then PEAP and choose Edit, I get the error:

 

“A certificate could not be found that can be used with this Extensible 
Authentication Protocol”.

 

So, no worries.  I go into the Certificates console, request a Domain 
Controller certificate, then when I go back and edit the cert shows up and the 
clients can connect fine.  Problem is, later on I lose connection and go back 
and check this setting and I get the error again, meaning the cert isn’t 
sticking.  Is there a way to keep this cert from getting removed and keeping it 
there?

 

Thanks,

 

Jay

 

  

 

 

Jay Dale Senior Systems Administrator

P 713.785.0960 Ext 290 | F 713.785.0986 | C 832.373.7883

jd...@emlogis.com | www.emlogis.com <http://www.emlogis.com/> 

Service Desk C 877.523.5896 | E supp...@emlogis.com 
<mailto:supp...@emlogis.com> 

 

This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 
งง 2510-2521 and is legally privileged. The information contained in this Email 
is intended only for use of the individual or entity named above. If the reader 
of this message is not the intended recipient, or the employee or agent 
responsible to deliver it to the intended recipient, you are hereby notified 
that any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
immediately notify us by telephone (toll-free) at 877-523-5896, and destroy the 
original message.

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
 

---
You are currently subscribed to ntsysadmin as: jckel...@drmc.org.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8249022.a84242b901468a5ca1a6525066805942&n=T&l=ntsysadmin&o=9077695
(It may be necessary to cut and paste the above URL if the line is broken)
or send a blank email to 
leave-9077695-8249022.a84242b901468a5ca1a6525066805...@lyris.sunbelt-software.com

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079302
or send a blank email to 
leave-9079302-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com<><>

RE: Certificate and PEAP

[Jay Dale]

No one have any ideas?  This one must be a toughie – I put in on EE which 
typically gets a quick response but nothing there yet either…:(

Jay Dale
Senior Systems Administrator
o:713.785.0960 x290

From: Jay Dale [mailto:jd...@emlogis.com]
Sent: Friday, August 27, 2010 9:55 AM
To: NT System Admin Issues
Subject: Certificate and PEAP

Hey all,

I’m trying to set up a Cisco Wifi Access Point on our network and use NPS with 
PEAP authentication so it will connect the users via their user account or 
computer account.  I’ve set up a CA on Windows Ent. 2008 64bit and gone through 
all the steps on creating the GPO, setting up NPS for Wired Authentication, 
etc.  However, I have one sticking point.

When I go into NPS and look at the properties of the network wifi policy, then 
under Constraints, then PEAP and choose Edit, I get the error:

“A certificate could not be found that can be used with this Extensible 
Authentication Protocol”.

So, no worries.  I go into the Certificates console, request a Domain 
Controller certificate, then when I go back and edit the cert shows up and the 
clients can connect fine.  Problem is, later on I lose connection and go back 
and check this setting and I get the error again, meaning the cert isn’t 
sticking.  Is there a way to keep this cert from getting removed and keeping it 
there?

Thanks,

Jay





[cid:image001.jpg@01CB4699.D10B2420]

Jay Dale Senior Systems Administrator
P 713.785.0960 Ext 290 | F 713.785.0986 | C 832.373.7883
jd...@emlogis.com | 
www.emlogis.com
Service Desk C 877.523.5896 | E supp...@emlogis.com
[cid:image002.jpg@01CB4699.D10B2420]
This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 
งง 2510-2521 and is legally privileged. The information contained in this Email 
is intended only for use of the individual or entity named above. If the reader 
of this message is not the intended recipient, or the employee or agent 
responsible to deliver it to the intended recipient, you are hereby notified 
that any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
immediately notify us by telephone (toll-free) at 877-523-5896, and destroy the 
original message.











~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9077695
or send a blank email to 
leave-9077695-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com<><>