I have a working setup with PEAP, and am trying to get EAP-TLS working, I
have computer and user certificates on the client and computer certificate
on the server. When I connect with the client I get the below.



The root certificate is "trusted" on both the client and server, and the
chain shows up with no problems if I click on any of the certs.  Anyone got
any ideas?



PEAP is working perfectly, but I wanted to try and get it working with certs
as that is more secure. Thanks


Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date:  6/1/2005
Time:  2:56:31 PM
User:  N/A
Computer: IAS1
Description:
User Bob was denied access.
Fully-Qualified-User-Name = ws.local/Accounts/Apartment Users/Bob
NAS-IP-Address = 192.168.1.17
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-12-17-e1-22-39
Client-Friendly-Name = wireless
Client-IP-Address = 192.168.1.17
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated  because the Extensible
Authentication Protocol (EAP) Type cannot be processed by the server.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....

[ Post a follow-up to this message ]

Hi,

It looks like either EAP-TLS is not configured on client or on server. Can
you make sure that BOTH are confgured to use EAP-TLS?

Thx.


--
This posting is provided "AS IS" with no warranties, and confers no rights.
OR if you wish to include a script sample in your post please add "Use of
included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"

Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"John Smith" <na@na.com> wrote in message
news:eJGbO2uZFHA.2996@TK2MSFTNGP10.phx.gbl...
> I have a working setup with PEAP, and am trying to get EAP-TLS working, I
> have computer and user certificates on the client and computer certificate
> on the server. When I connect with the client I get the below.
>
>
>
> The root certificate is "trusted" on both the client and server, and the
> chain shows up with no problems if I click on any of the certs.  Anyone
got
> any ideas?
>
>
>
> PEAP is working perfectly, but I wanted to try and get it working with
certs
> as that is more secure. Thanks
>
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date:  6/1/2005
> Time:  2:56:31 PM
> User:  N/A
> Computer: IAS1
> Description:
> User Bob was denied access.
>  Fully-Qualified-User-Name = ws.local/Accounts/Apartment Users/Bob
>  NAS-IP-Address = 192.168.1.17
>  NAS-Identifier = <not present>
>  Called-Station-Identifier = <not present>
>  Calling-Station-Identifier = 00-12-17-e1-22-39
>  Client-Friendly-Name = wireless
>  Client-IP-Address = 192.168.1.17
>  NAS-Port-Type = Wireless - IEEE 802.11
>  NAS-Port = 0
>  Proxy-Policy-Name = Use Windows authentication for all users
>  Authentication-Provider = Windows
>  Authentication-Server = <undetermined>
>  Policy-Name = Wireless
>  Authentication-Type = EAP
>  EAP-Type = <undetermined>
>  Reason-Code = 22
>  Reason = The client could not be authenticated  because the Extensible
> Authentication Protocol (EAP) Type cannot be processed by the server.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 00 00 00 00               ....
>
>

[ Post a follow-up to this message ]

Sorry had the wrong error up, my bad.



On the server under IAS Remote access Policies, under EAP Methods I have
"Smart Card or other certificate" selected, on the client I have under
"Authentication" I have "Smart Card or other certificate" selected and under
that I have "Use Certificate on this computer" I am getting the below error,
sorry I seam to have posted the wrong one last time.



Error: A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.


Full Event log

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date:  6/2/2005
Time:  10:19:28 AM
User:  N/A
Computer: LCS1
Description:
User Bob was denied access.
Fully-Qualified-User-Name = Users/Bob
NAS-IP-Address = 192.168.1.17
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-12-17-e1-22-39
Client-Friendly-Name = wireless
Client-IP-Address = 192.168.1.17
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 12 01 0b 80               ...€










"Wei Zheng [MSFT]" <weizheng@online.microsoft.com> wrote in message
news:%23ZR2EH2ZFHA.1456@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> It looks like either EAP-TLS is not configured on client or on server. Can
> you make sure that BOTH are confgured to use EAP-TLS?
>
> Thx.
>
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> OR if you wish to include a script sample in your post please add "Use of
> included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm"
>
> Please do not send e-mail directly to this alias.
> This alias is for newsgroup purposes only.
> ====================================
> "John Smith" <na@na.com> wrote in message
> news:eJGbO2uZFHA.2996@TK2MSFTNGP10.phx.gbl... 
> got 
> certs 
>
>

[ Post a follow-up to this message ]

Hi,

Have you tried this?
http://support.microsoft.com/defaul...kb;en-us;255681

Follow the steps, see if it helps you.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm.

Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"John Smith" <na@na.com> wrote in message
news:u#haB#4ZFHA.2900@TK2MSFTNGP15.phx.gbl...
> Sorry had the wrong error up, my bad.
>
>
>
> On the server under IAS Remote access Policies, under EAP Methods I have
> "Smart Card or other certificate" selected, on the client I have under
> "Authentication" I have "Smart Card or other certificate" selected and
under
> that I have "Use Certificate on this computer" I am getting the below
error,
> sorry I seam to have posted the wrong one last time.
>
>
>
> Error: A certification chain processed correctly, but one of the CA
> certificates is not trusted by the policy provider.
>
>
> Full Event log
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date:  6/2/2005
> Time:  10:19:28 AM
> User:  N/A
> Computer: LCS1
> Description:
> User Bob was denied access.
>  Fully-Qualified-User-Name = Users/Bob
>  NAS-IP-Address = 192.168.1.17
>  NAS-Identifier = <not present>
>  Called-Station-Identifier = <not present>
>  Calling-Station-Identifier = 00-12-17-e1-22-39
>  Client-Friendly-Name = wireless
>  Client-IP-Address = 192.168.1.17
>  NAS-Port-Type = Wireless - IEEE 802.11
>  NAS-Port = 0
>  Proxy-Policy-Name = Use Windows authentication for all users
>  Authentication-Provider = Windows
>  Authentication-Server = <undetermined>
>  Policy-Name = Wireless
>  Authentication-Type = EAP
>  EAP-Type = Smart Card or other certificate
>  Reason-Code = 295
>  Reason = A certification chain processed correctly, but one of the CA
> certificates is not trusted by the policy provider.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 12 01 0b 80               ...?
>
>
>
>
>
>
>
>
>
>
> "Wei Zheng [MSFT]" <weizheng@online.microsoft.com> wrote in message
> news:%23ZR2EH2ZFHA.1456@TK2MSFTNGP15.phx.gbl... 
Can[vbcol=seagreen] 
of[vbcol=seagreen] 
I[vbcol=seagreen] 
the[vbcol=seagreen] 
>
>

[ Post a follow-up to this message ]

I received the exact same error as below, but my problem was with a CA certi
ficate in the NTAuthCertificates Store in AD. Use the PKIHealth tool to remo
ve and replace the offending certificate.
I had several issuing CAs, and was able to recognize that only one particula
r CA's certificates that were issued to the users/workstations never worked.
 I replaced it's CA certificate in the store and all is well.

the q article below describes how to work with the store.

http://support.microsoft.com/defaul...b;EN-US;Q295663


> Full Event log
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date:  6/2/2005
> Time:  10:19:28 AM
> User:  N/A
> Computer: LCS1
> Description:
> User Bob was denied access.
>  Fully-Qualified-User-Name = Users/Bob
>  NAS-IP-Address = 192.168.1.17
>  NAS-Identifier = <not present>
>  Called-Station-Identifier = <not present>
>  Calling-Station-Identifier = 00-12-17-e1-22-39
>  Client-Friendly-Name = wireless
>  Client-IP-Address = 192.168.1.17
>  NAS-Port-Type = Wireless - IEEE 802.11
>  NAS-Port = 0
>  Proxy-Policy-Name = Use Windows authentication for all users
>  Authentication-Provider = Windows
>  Authentication-Server = <undetermined>
>  Policy-Name = Wireless
>  Authentication-Type = EAP
>  EAP-Type = Smart Card or other certificate
>  Reason-Code = 295
>  Reason = A certification chain processed correctly, but one of the CA
> certificates is not trusted by the policy provider.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 12 01 0b 80               ...?
>
>

[ Post a follow-up to this message ]