Re: ipsec with certificate authentication issue

ignore question 2)B. below. I found the tlntadmn.exe utility and made the
change.

"djc" <noone@xxxxxxxxxxx> wrote in message
news:uqfvFh2$FHA.3372@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks for the reply Steven. I added the offline ipsec cert template one
my
> CA and installed one on both client and server. I believe the
> ipsec/certificates part is working now (connects successfully now but now
I
> have a telnet server config question - see below). Thank you!
>
> 1) initially I chose the 'install certification path' option from windows
> 2000 enterprise CA web form... ipsec connection didn't work. Then I just
> chose to download the .cer file for the CA's certificate and manually
> imported it into the trusted root cert store for the local machine and
then
> it worked. What is the 'install certification path' for? from the
> description on the page it sounded like that should have worked for me?
>
> 2) A. unrelated to original post/problem but: After I connect to the
telnet
> server (win 2000 server sp4) it rejects the connection saying only NTLM
Auth
> is accepted. The client in this case is a computer that is NOT a member of
> the domain (connected remotely via VPN). Is there a way for me to send
NTLM
> credentials to the telnet server? Obviously not the local machine
> credentials but how about the domain credentials I use for the VPN? I'm
> thinking probably not but I figured I would ask anyway...
>
> 2) B. if I can't send NTLM can the telnet server be changed to accept
'clear
> text' login (which really wouldn't be since its via a PPTP VPN and
transport
> ipsec at the application layer)?
>
> thanks again for the help.
>
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
> news:%23m8TQ5e$FHA.344@xxxxxxxxxxxxxxxxxxxxxxx
> > Look in the security log of each computer to see if there is any
> information
> > about IKE failure that may help determine what is going on. Windows 2000
> has
> > much less logging than Windows 2003. You also want to make sure you have
> > auditing of logon events enabled in the Local Security Policy of each
> > computer. My guess is there may be a problem with the administrator
> > certificates and I would try to use a computer or offline ipsec
> certificate
> > [which always worked for me] instead and remove the administrator
> > certificate from the computer store. In Windows 2000 Enterprise CA you
> need
> > to enable the offline ipsec template on the CA before it will show up as
> an
> > option via Web Enrollment as an advanced request and then you want to
> > specify the computer name and be sure to select to store in computer
> > store. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;257225 ---
> Windows
> > 2000 ipsec troubleshooting.
> >
> >
> >
> > "djc" <dcopenhaver@xxxxxxxxxxxxxxx> wrote in message
> > news:OZ1ZUDZ$FHA.216@xxxxxxxxxxxxxxxxxxxxxxx
> > >I have ipsec setup for telnet (transport). I'll leave out all the
filter
> > >details as I don't think they are pertinent to the problem. It works
fine
> > >with preshared key but I cannot get it to work with certificate
> > >authentication. Client machine is connected to the lan via pptp vpn and
> > >telnet server resides on the remote lan. This works fine with preshared
> > >key. Both machines have my own MS cert server's certificate installed
in
> > >their local machine store's trusted root certification authorities
folder
> > >and both machines have their own certificate issued from this CA
> installed
> > >in their own local machine store. The cert was obtained via ms cert
> > >services web interface using the 'administrator' template. But if I
> > >understand correctly the type of cert on each machine does not really
> > >matter as long as they are both from the same trused root CA, which
they
> > >are.
> > >
> > > I'm really not sure where to go from here. I know the issue must be
> > > certificate auth related since it works just fine with preshared key.
> > >
> > > any help would be greatly appreciated.
> > >
> >
> >
>
>


.

Relevant Pages

  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issues with SSL on Win CE 5.0
    ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ...
    (microsoft.public.windowsce.embedded)
  • Re: Accessing certificate store from ASP.NET web project
    ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)
  • Re: Dummies Guide for RADIUS/Certs
    ... I have set up IAS. ... client computers impacts certificate enrollment. ... configure Group Policy for domain member wireless clients so ... Cert Templates that is now enrolled on the IAS server. ...
    (microsoft.public.internet.radius)