WLan and 802.1x EAP / Certificate problems

I have the following testlab:
Windows 2000 SP4 Domain Controller/DNS
Windows 2003 Server standard with IIS (incl ASP) / IAS / Certificate server

The Certificate server is configured as a Enterprise CA server.

I try to set up a WLAN Remote Access Policy using EAP (PEAP).

When I try to edit EAP (PEAP) properties I get the following message:

"A certificate could not be found that can be used with this Extensible
Authentication Protocol".

Any suggestions?

The server that you are using needs to have a computer certificate
installed. Open up the mmc certificate snapin for "computer" and look in the
personal store to see if there is a certificate. If there is none right
click the personal folder, select all tasks, and select request a
certificate. Select computer as the type of certificate. The CA's
certificate also needs to be in the trusted root folder. If it is not there
you will have to export it from the CA's computer certificate store [no
need to include private keys] to a .cer file and import it into the trusted
root folder. The mmc certificate snapin can only be used to request
certificates for domain members. Otherwise Web Enrollment will need to be
used. --- Steve


"Kjetil Pettersson broadpark.no>" <kjetil.pettersson@<nospam> wrote in
message news:(E-Mail Removed)...
>I have the following testlab:
> Windows 2000 SP4 Domain Controller/DNS
> Windows 2003 Server standard with IIS (incl ASP) / IAS / Certificate
> server
>
> The Certificate server is configured as a Enterprise CA server.
>
> I try to set up a WLAN Remote Access Policy using EAP (PEAP).
>
> When I try to edit EAP (PEAP) properties I get the following message:
>
> "A certificate could not be found that can be used with this Extensible
> Authentication Protocol".
>
> Any suggestions?
>
>
>

This has already been done. I've uninstalled the cert.server several times
and even if I deleted old certificates from my CA server using the MMC snap
in before uninstalling the cert.server they all come back when the
cert.server is reinstalled. Is this by design? It's quite confusing.

Does the Win2k Domain Controller need to have the certificate installed?

Kjetil






"Steven L Umbach" <(E-Mail Removed)> skrev i melding
news:(E-Mail Removed)...
> The server that you are using needs to have a computer certificate
> installed. Open up the mmc certificate snapin for "computer" and look in
> the personal store to see if there is a certificate. If there is none
> right click the personal folder, select all tasks, and select request a
> certificate. Select computer as the type of certificate. The CA's
> certificate also needs to be in the trusted root folder. If it is not
> there you will have to export it from the CA's computer certificate store
> [no need to include private keys] to a .cer file and import it into the
> trusted root folder. The mmc certificate snapin can only be used to
> request certificates for domain members. Otherwise Web Enrollment will
> need to be used. --- Steve
>
>
> "Kjetil Pettersson broadpark.no>" <kjetil.pettersson@<nospam> wrote in
> message news:(E-Mail Removed)...
>>I have the following testlab:
>> Windows 2000 SP4 Domain Controller/DNS
>> Windows 2003 Server standard with IIS (incl ASP) / IAS / Certificate
>> server
>>
>> The Certificate server is configured as a Enterprise CA server.
>>
>> I try to set up a WLAN Remote Access Policy using EAP (PEAP).
>>
>> When I try to edit EAP (PEAP) properties I get the following message:
>>
>> "A certificate could not be found that can be used with this Extensible
>> Authentication Protocol".
>>
>> Any suggestions?
>>
>>
>>
>
>

I tried requesting another certificate by doing the following:

Open MMC adding the certificates/local computer snap-in.

Right click Personal and choose "request new certificate"

I chose "computer" for the certificate type

I called it "myservername IAS server"

It was added successfully and finally I could set PEAP properties (hurray).

I now have two Personal certificates:

1. The original certificate that came automatically after installing
Certificate Services:
Issued to: testsrv2
Issued by: testsrv2
expiration date: 19.10.2020
Intended purposes: <all>
Friendly name: <None>
Status:
Certificate template: Root Certification Authority

1. The new certicate issued to the same computer:
Issued to: testsrv2.mydomain.net
Issued by: testsrv2
expiration date: 19.10.2005
Intended purposes: Client Authentication, Server Authentication
Friendly name: testsrv2 IAS server
Status:
Certificate template: Computer

I guess seeing it like this makes sense, but it's still a little confusing.

What do you mean that you uninstalled the cert.server ?? A domain controller
should automatically receive a computer certificate after the Enterprise
Certificate Authority is installed but it would be a good idea to see that
it has one and also request a general computer certificate. The computer
that you are trying to use for remote access also needs a copy of the CA's
certificate via a .car file in it's trusted root folder in order for
authentication to work. --- Steve


"Kjetil Pettersson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This has already been done. I've uninstalled the cert.server several
> times and even if I deleted old certificates from my CA server using the
> MMC snap in before uninstalling the cert.server they all come back when
> the cert.server is reinstalled. Is this by design? It's quite confusing.
>
> Does the Win2k Domain Controller need to have the certificate installed?
>
> Kjetil
>
>
>
>
>
>
> "Steven L Umbach" <(E-Mail Removed)> skrev i melding
> news:(E-Mail Removed)...
>> The server that you are using needs to have a computer certificate
>> installed. Open up the mmc certificate snapin for "computer" and look in
>> the personal store to see if there is a certificate. If there is none
>> right click the personal folder, select all tasks, and select request a
>> certificate. Select computer as the type of certificate. The CA's
>> certificate also needs to be in the trusted root folder. If it is not
>> there you will have to export it from the CA's computer certificate store
>> [no need to include private keys] to a .cer file and import it into the
>> trusted root folder. The mmc certificate snapin can only be used to
>> request certificates for domain members. Otherwise Web Enrollment will
>> need to be used. --- Steve
>>
>>
>> "Kjetil Pettersson broadpark.no>" <kjetil.pettersson@<nospam> wrote in
>> message news:(E-Mail Removed)...
>>>I have the following testlab:
>>> Windows 2000 SP4 Domain Controller/DNS
>>> Windows 2003 Server standard with IIS (incl ASP) / IAS / Certificate
>>> server
>>>
>>> The Certificate server is configured as a Enterprise CA server.
>>>
>>> I try to set up a WLAN Remote Access Policy using EAP (PEAP).
>>>
>>> When I try to edit EAP (PEAP) properties I get the following message:
>>>
>>> "A certificate could not be found that can be used with this Extensible
>>> Authentication Protocol".
>>>
>>> Any suggestions?
>>>
>>>
>>>
>>
>>
>
>