EAP/TLS and "Windows was unable to find a certificate. . ."

[Paul]

I have a tablet PC running XP tablet edition that I am
using to set up a small wireless lan. Additionally, I
have a Windows 2003 server acting as both a radius server
and certificate authority. The tablet is a member of the
same domain that the 2003 server is.

When I log on to the tablet as domain user BobSmith, I can
launch IE, browse to the cert auth, request and install a
User cert with no problem. At that point, I can configure
the wireless connection for 802.1x "Smart card or other
certificate" and my connection is established to the
wireless network, "Authentication Succeeded".

What I would like to do, however, is not log in to the
desktop as a domain user, rather just a user local to the
tablet. In doing so, I can browse the cert auth (and
authenticate to it via the browser as domain user
JohnDoe), request and install a user cert, but the
wireless connection fails. Logged in as a local user, I
can see the certificate in mmc (under the name of
JohnDoe), but the "Validating Identity" phase fails with
the error message "Windows was unable to find a
certificate to log you on to the network [SSID]" (where
SSID is my AP's network name).

The radius server (IAS) is configured to authenticate both
JohnDoe and BobSmith, but while logged in to the tablet as
a local user, neither the AP nor the IAS server get an
authentication request. Is it possible to log in as a
local user and still use a domain user's certificate for
EAP-TLS 802.1x authentication?

Thanks.

 

[allan grossman [mvp]]

Hi, Paul -

I'm not the most high-speed PKI type out there, but it
appears to me all that needs to happen is the domain
certificates need to be installed in your local profile's
certificate store.

Can you download the cert to floppy disk while logged on
as a domain user and install it as a local user?

If that doesn't do it I won't be much help - I work for
the federal government and my certificates are smartcard-
based - I can use them as either a local or domain user.
Maybe someone a bit brighter than me will have a better
solution ;-)

Good luck -

 

[Paul]

In a word: Thankyouverymuch.

The solution you suggested worked. I installed the user
cert logged in as a domain user and promptly exported it
using mmc, private keys and all. I then logged in a local
user, imported the cert and was prompted to choose that
certificate when I enabled 802.1x on the wireless
connection.

I don't quite understand why the certificates are
different, but I'll not split hairs at this point.

Thanks again.

-----Original Message-----
Hi, Paul -

I'm not the most high-speed PKI type out there, but it
appears to me all that needs to happen is the domain
certificates need to be installed in your local profile's
certificate store.

Can you download the cert to floppy disk while logged on
as a domain user and install it as a local user?

If that doesn't do it I won't be much help - I work for
the federal government and my certificates are smartcard-
based - I can use them as either a local or domain user.
Maybe someone a bit brighter than me will have a better
solution ;-)

Good luck -

-----Original Message-----
I have a tablet PC running XP tablet edition that I am
using to set up a small wireless lan. Additionally, I
have a Windows 2003 server acting as both a radius server
and certificate authority. The tablet is a member of the
same domain that the 2003 server is.

When I log on to the tablet as domain user BobSmith, I can
launch IE, browse to the cert auth, request and install a
User cert with no problem. At that point, I can configure
the wireless connection for 802.1x "Smart card or other
certificate" and my connection is established to the
wireless network, "Authentication Succeeded".

What I would like to do, however, is not log in to the
desktop as a domain user, rather just a user local to the
tablet. In doing so, I can browse the cert auth (and
authenticate to it via the browser as domain user
JohnDoe), request and install a user cert, but the
wireless connection fails. Logged in as a local user, I
can see the certificate in mmc (under the name of
JohnDoe), but the "Validating Identity" phase fails with
the error message "Windows was unable to find a
certificate to log you on to the network [SSID]" (where
SSID is my AP's network name).

The radius server (IAS) is configured to authenticate both
JohnDoe and BobSmith, but while logged in to the tablet as
a local user, neither the AP nor the IAS server get an
authentication request. Is it possible to log in as a
local user and still use a domain user's certificate for
EAP-TLS 802.1x authentication?

Thanks.
.

.

 

[allan grossman [mvp]]

Glad to be of service, Paul ;-)

Certificate stores are user profile-specific, not machine-
specific. I think that's where the sticking point was.
Anyway, I'm glad you got it going.

cheers -

 

[Xuemei Bao]

yes, the simple way to do is to just install that domain user's certficate
for that local user account.
log in as local user, go to mmc->add snapin->Certificates->my user
account->finish.
open certificates->current user->personal->certificates->import the domain
user cert.