IAS EAP-TLS Certificate Error

[gw]

Hi,
I have a three tier PKI with offline root CA. We recently had to renew
the CA cert of the intermediate and the CA certs of all issuing CA's. We
have currently two issuing CA's running on two DC's /IAS which are used
to issue certs to users at two different locations. These users
authenticate via EAP-TLS at the IAS when going wireless.
After the renewal of the CA certs one of the locations works still fine.
At the other location the old users who got their cert before the change
can still log on. The new users with certs issued after the change
cannot log on. IASSAM.log shows: EAP authentication failed: The
certificate chain was issued by an untrusted authority.
The certs look just fine and the chain is correct. I already renewed the
computer cert for the IAS.
Any hint is appreciated
regards
GW

 

[Brian Komar]

ier PKI with offline root CA. We recently had to renew
the CA cert of the intermediate and the CA certs of all issuing CA's. We
have currently two issuing CA's running on two DC's /IAS which are used
to issue certs to users at two different locations. These users
authenticate via EAP-TLS at the IAS when going wireless.
After the renewal of the CA certs one of the locations works still fine.
At the other location the old users who got their cert before the change
can still log on. The new users with certs issued after the change
cannot log on. IASSAM.log shows: EAP authentication failed: The
certificate chain was issued by an untrusted authority.
The certs look just fine and the chain is correct. I already renewed the
computer cert for the IAS.
Any hint is appreciated

What operating system are the client comptuers running?
Do they have the MS04-11 patch applied?

Brian

 

[Günter Weisz]

The clients run Windows XP embedded SP1
Günter

 

[Brian Komar]

The clients run Windows XP embedded SP1
Günter

It sounds like you are having CRL or CA certificate retrieval problems.
Your best course of action is to test the certificates (old and new) by
exporting the certificates (base64 or DER), and then running
certutil -verify -urlfetch (CertificateFileName)

and check the output. You may find they are unable to download the
necessary certs. Also, when you renewed the root CA intermediate certs,
did you republish to AD the renewed cert

certutil -dspublish (CACertificateFileName) SubCA ==> For Sub Cas
certutil -dspublish (CACertificateFileName) RootCA ==> For Root Cas

Brian

 

[Günter Weisz]

Hi
thank you Brian.
The root CA cert has not been renewed. Only the intermediate CA cert, since
the root cert lifetime has been extended during installation, but we missed
to extend lifetime for issued certs on the root CA initially, it was left at
default. So we had to renew the intermediate CA cert and all issuing CA
certs after less than two years.
So this means there is no need to republish the root CA cert to AD.
But I did not rebublish the intermediate CA cert to AD.
If this would be the problem, why is the second location working then?
I tried certutil -dspublish, but dspublish is not a valid option with
windows 2000 certutil.
Günter

The clients run Windows XP embedded SP1
Günter

It sounds like you are having CRL or CA certificate retrieval problems.
Your best course of action is to test the certificates (old and new) by
exporting the certificates (base64 or DER), and then running
certutil -verify -urlfetch (CertificateFileName)

and check the output. You may find they are unable to download the
necessary certs. Also, when you renewed the root CA intermediate certs,
did you republish to AD the renewed cert

certutil -dspublish (CACertificateFileName) SubCA ==> For Sub Cas
certutil -dspublish (CACertificateFileName) RootCA ==> For Root Cas

Brian