I believe I've solved my issue. Here's what I learned. For whatever reason,
I suspect a while back when I did a swing migration to move my SBS to new
hardware, the new setup did not allow me to duplicate & publish a certificate
template which is required in order to set the router (offline request) to be
exportable when you get it via the certsrv site. I also found that the
checkbox to store it in the machine store just doesn't work (posts online
about that and I saw for myself). I found this documentation on using the
command line certreq.exe
(
http://technet.microsoft.com/en-us/l.../cc736326.aspx) and after
isolating myself from all interuptions, I was able to get it to work. It
enabled me to use the built in Router (Offline Request) template and make it
exportable. Interestingly, though I could set it to install it directly to
the machine store, that did not work. The key did show as having a private
key, however RRAS would not use it. I then set it to install to the user
store and be exportable, exported it from the user store then into the
machine store and voila! RRAS would now use this cert. Here's how I did it :
I created a file called router.inf. It's contents looked like this :
-----------------------------------
[NewRequest]
Exportable = TRUE
KeyLength=1024
KeySpec = 2
KeyUsage = 0xa0
MachineKeySet = FALSE
Requestername = DOMAIN\VpnUserName
Subject = "CN=VpnUserName"
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = "OfflineRouter"
-------------------------------------
I then walked through 3 commands at a command prompt :
certreq -new router.inf router.req
certreq -submit router.req
certreq -accept router.cer
I then exported the key it installed in the user store, including the
private key and imported it to the machine store.
"BrianFlynn" wrote:
> I have an SBS 2003 & a Win 2003 Std box that always maintained a persistent
> PPTP VPN tunnel using EAP-TLS certificate based authentication. Recently my
> root certificate expired and ever since, my Win 2003 Std box hasn't been able
> to connect. I've renewed the root certificate on the SBS 2003 & requested a
> new client cert for the Windows 2003 Std box but it didn't help.
>
> When I try to initiate a VPN tunnel from Routing and Remote Access from the
> Win 2003 Std box, I first get a dialogue box that says "The interface is
> disconnected" then I get one that says "The following error occurred: The
> interface credentials have not been set". I have set the credentials to be
> the new certificate but it doesn't help.
>
> In the RASTLSUI.LOG on the Win 2003 Std box, the error I see that seems
> potentially the most useful is "CryptAcquireContext failed. This CSP cannot
> be opened in silent mode. skipping cert.Err: 0x80090016" however I can't
> find anything when searching with that.
>
Similar Threads
Linear Mode
