Re: ipsec with certificate authentication issue

Thanks for the reply Steven. I added the offline ipsec cert template one my
CA and installed one on both client and server. I believe the
ipsec/certificates part is working now (connects successfully now but now I
have a telnet server config question - see below). Thank you!

1) initially I chose the 'install certification path' option from windows
2000 enterprise CA web form... ipsec connection didn't work. Then I just
chose to download the .cer file for the CA's certificate and manually
imported it into the trusted root cert store for the local machine and then
it worked. What is the 'install certification path' for? from the
description on the page it sounded like that should have worked for me?

2) A. unrelated to original post/problem but: After I connect to the telnet
server (win 2000 server sp4) it rejects the connection saying only NTLM Auth
is accepted. The client in this case is a computer that is NOT a member of
the domain (connected remotely via VPN). Is there a way for me to send NTLM
credentials to the telnet server? Obviously not the local machine
credentials but how about the domain credentials I use for the VPN? I'm
thinking probably not but I figured I would ask anyway...

2) B. if I can't send NTLM can the telnet server be changed to accept 'clear
text' login (which really wouldn't be since its via a PPTP VPN and transport
ipsec at the application layer)?

thanks again for the help.


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23m8TQ5e$FHA.344@xxxxxxxxxxxxxxxxxxxxxxx
> Look in the security log of each computer to see if there is any
information
> about IKE failure that may help determine what is going on. Windows 2000
has
> much less logging than Windows 2003. You also want to make sure you have
> auditing of logon events enabled in the Local Security Policy of each
> computer. My guess is there may be a problem with the administrator
> certificates and I would try to use a computer or offline ipsec
certificate
> [which always worked for me] instead and remove the administrator
> certificate from the computer store. In Windows 2000 Enterprise CA you
need
> to enable the offline ipsec template on the CA before it will show up as
an
> option via Web Enrollment as an advanced request and then you want to
> specify the computer name and be sure to select to store in computer
> store. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;257225 ---
Windows
> 2000 ipsec troubleshooting.
>
>
>
> "djc" <dcopenhaver@xxxxxxxxxxxxxxx> wrote in message
> news:OZ1ZUDZ$FHA.216@xxxxxxxxxxxxxxxxxxxxxxx
> >I have ipsec setup for telnet (transport). I'll leave out all the filter
> >details as I don't think they are pertinent to the problem. It works fine
> >with preshared key but I cannot get it to work with certificate
> >authentication. Client machine is connected to the lan via pptp vpn and
> >telnet server resides on the remote lan. This works fine with preshared
> >key. Both machines have my own MS cert server's certificate installed in
> >their local machine store's trusted root certification authorities folder
> >and both machines have their own certificate issued from this CA
installed
> >in their own local machine store. The cert was obtained via ms cert
> >services web interface using the 'administrator' template. But if I
> >understand correctly the type of cert on each machine does not really
> >matter as long as they are both from the same trused root CA, which they
> >are.
> >
> > I'm really not sure where to go from here. I know the issue must be
> > certificate auth related since it works just fine with preshared key.
> >
> > any help would be greatly appreciated.
> >
>
>


.

Relevant Pages

  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services over a VPN
    ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS 2003 Premium and Cert Services
    ... that philosphy got blown out of the equation when SBS included Exchange OWA ... "Small Business Server" which is MS claim as to why the risk of exposing the ... the Certificate Server on another server, ... >> Cert, or you could edit the properties of your Certification Authority to ...
    (microsoft.public.windows.server.sbs)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... and installed the free 30-day certificate on my site. ... instructions to install Certificate Services. ... If I can find a way to issue my own cert without risking my SBS setup, ... > Server instead of the defaults from Server 2003, and when things blow up, ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant disable "Trusted" for Certificates Issued by MS Certificate Server
    ... The certificate for the root CA (the one that is being used by the MS ... Certificate Server) was created when I installed MS Certificate Server. ... The next day, when I got the server cert back from the 3rd-party CA, I ...
    (microsoft.public.platformsdk.security)