D
Dmitry Korolyov
There is a way to use only machine certificates and EAP-TLS authentication.
Say you have two routers, router1.domain.local and router2.domain.local. Both have automatically issued machine certificates. All you need to do is configure them to use these certificates, check "Use different user name for this connection" in advanced properties, and then in "Set Credentials" type router account names in "DOMAIN\router1$" or [email protected] form.
This approach works great if all routers are in the same domain and you have domain controllers for that domain in every site. Since it matches our scenario, it's the best one to use.
EAP authentication is preferrable for us because this way we do not have to manage dozens of user passwords - as long as machine certificates get updated automagically, we're fine. And with the approach described above you don't have to create many user accounts and manually request and map certificates - this eliminates some overhead.
Yes, there will be limitations when multiple forest connectivity is needed.
When you configure the router to use Demand dial we have to have a user name that matched this demand dial interface that's why we map a certificate to the user
If you would like to use just machine certificate then you need to use L2TP/IPSec certificates without EAPTLS but for Router to Router Authentication using EAPTLS and Demand Dial you will need to have user certificates for each demand dial connection
The statement "use a certificate on this computer" doesn't say machine certificate but we use this to differ between Smart card for RAS and certificates in local store
Why don't you use L2TP/IPSec without EAPTLS?
--
Rany ElHousieny
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------
Much thanks for all your support, but I think we have a misunderstanding here. The link you provided describes procedures needed to configure router to router authentication. They include creating user accounts and issuing certificates to user accounts. However, I do not want to create user accounts. I want calling router to be authenticated using its own machine certificate. No user accounts. The idea is to get rid of them completely.
Now after such long discussion, I wonder if it is possible at all, to configure router authentication using machine certificates only. Any materials describing configuration steps mention user account creation. But then, why does it allow for option "use a certificate on this computer" in DD interface properties?
What am I getting wrong?
I think you are getting this error because your client Certificate is not mapped correctly
here is a link that will walk you through configuring demand dial using L2TP and EAPTLS
http://www.microsoft.com/windows200...ndows2000/en/server/help/sag_RRAS-Ch3_08f.htm
--
This posting is provided "AS IS", with NO warranties and confers NO rights
What do you mean by realm manipulation? No such setting on W2k RRAS server. And, why it just doesn't work when you configure the connection to use machine certificate authentication, darn.
on the vpn server can you configure in the remote access policy realm manipulation for that machine that will convert the FQDN name to just the hostname
try this and see if it works
--
This posting is provided "AS IS", with NO warranties and confers NO rights
Heh, the machine fqdn (srv-sub1-inet.sub1.domain1) is correct. But the sam account name searched for - DOMAIN1\srv-sub1-inet.sub1.domain1 - is incorrect. It should be DOMAIN1\srv-sub1-inet
Question: why incorrect account name is passed to authentication mechanizm? Computer name on the certificate matches its FQDN and is correct. However, instead of using machine name as specified on certificate, some weird name is constructed and used. Why?
Although I was sure that everything was fine with machine account in AD, I removed and rejoined it to domain. Didn't help.
the error you are getting is:
[2704] 18:44:41:514: NT-SAM Authentication handler received request for DOMAIN1\srv-sub1-inet.SUB1.DOMAIN1.
[2704] 18:44:41:534: ldap_search_ext_sW failed: The specified user does not exist.
the ldap query returns this error from the AD
try dijoining that machine and rejoining it ( that might resolve the issue)
This posting is provided "AS IS", with NO warranties and confers NO rights
The account does exist, othewise we'd be swarmed by a number of users being unable to access internet.
What do you mean by dial-in permissions? Computer account has no such property. Do you mean some policy setting on RAS server properties?
can you doublke check that the calling computer has corresponding account in the AD, and that dial in permissions are enabled for the account
--
This posting is provided "AS IS", with NO warranties and confers NO rights
all routers are in the same forest
ah ok
in this case if you are using machine authentication there needs to be a machine account in AD for the corresponding machine that dial in.
is the machine that dial in joined to the domain1?
--
This posting is provided "AS IS", with NO warranties and confers NO rights
I am using EAP with machine certificates. One router establishes L2TP VPN connection to another router.
During interface setup, yes, it asked me for user credentials and such. But later I changed authentication type on demand-dial interface to EAP (Security-Advanced (custom settings), use EAP). In properties, "Use certificate on this computer" is set. When you right-click the interface and click "Set Credentials", you are given a combo box allowing you to select between existing machine certificates installed. So, I don't get at all what user accounts we are talking about.
yes but still the user your using needs to exist in the AD
are you using smart card authentication? if so how did you manage to issue a cert to the user if it does not exist in the AD?
--
This posting is provided "AS IS", with NO warranties and confers NO rights
What user account are we talking about? Ain't we using certificates for authentication?
the user account you are using does not exist in the domain
the server tries to look up the user in DOMAIN1
and does not find it
double check that the user you are using for this connection exists
--
This posting is provided "AS IS", with NO warranties and confers NO rights
There are attached trace files.
raschap.log is empty
from the error itself I can't tell we need more details.
you have a server cert with the right EKU installed on your server?
can you provide us with trace log from the server side:
run " netsh ras set tr * en" from a command prompt
repro the problem and then post the rastls, iassam, and raschap trace logs that you will find in %windir%\tracing folder
thanks
--
This posting is provided "AS IS", with NO warranties and confers NO rights
When I manually try to establish connection, I receive the following error message:
Access was denied because the username and/or password was invalid on the domain
I use EAP authentication, and correct certificates are specified in DD interface properties. What does that mean by invalid username? Invalid certificates?
TIA,
Dmitry Korolyov
Say you have two routers, router1.domain.local and router2.domain.local. Both have automatically issued machine certificates. All you need to do is configure them to use these certificates, check "Use different user name for this connection" in advanced properties, and then in "Set Credentials" type router account names in "DOMAIN\router1$" or [email protected] form.
This approach works great if all routers are in the same domain and you have domain controllers for that domain in every site. Since it matches our scenario, it's the best one to use.
EAP authentication is preferrable for us because this way we do not have to manage dozens of user passwords - as long as machine certificates get updated automagically, we're fine. And with the approach described above you don't have to create many user accounts and manually request and map certificates - this eliminates some overhead.
Yes, there will be limitations when multiple forest connectivity is needed.
When you configure the router to use Demand dial we have to have a user name that matched this demand dial interface that's why we map a certificate to the user
If you would like to use just machine certificate then you need to use L2TP/IPSec certificates without EAPTLS but for Router to Router Authentication using EAPTLS and Demand Dial you will need to have user certificates for each demand dial connection
The statement "use a certificate on this computer" doesn't say machine certificate but we use this to differ between Smart card for RAS and certificates in local store
Why don't you use L2TP/IPSec without EAPTLS?
--
Rany ElHousieny
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------
Much thanks for all your support, but I think we have a misunderstanding here. The link you provided describes procedures needed to configure router to router authentication. They include creating user accounts and issuing certificates to user accounts. However, I do not want to create user accounts. I want calling router to be authenticated using its own machine certificate. No user accounts. The idea is to get rid of them completely.
Now after such long discussion, I wonder if it is possible at all, to configure router authentication using machine certificates only. Any materials describing configuration steps mention user account creation. But then, why does it allow for option "use a certificate on this computer" in DD interface properties?
What am I getting wrong?
I think you are getting this error because your client Certificate is not mapped correctly
here is a link that will walk you through configuring demand dial using L2TP and EAPTLS
http://www.microsoft.com/windows200...ndows2000/en/server/help/sag_RRAS-Ch3_08f.htm
--
This posting is provided "AS IS", with NO warranties and confers NO rights
What do you mean by realm manipulation? No such setting on W2k RRAS server. And, why it just doesn't work when you configure the connection to use machine certificate authentication, darn.
on the vpn server can you configure in the remote access policy realm manipulation for that machine that will convert the FQDN name to just the hostname
try this and see if it works
--
This posting is provided "AS IS", with NO warranties and confers NO rights
Heh, the machine fqdn (srv-sub1-inet.sub1.domain1) is correct. But the sam account name searched for - DOMAIN1\srv-sub1-inet.sub1.domain1 - is incorrect. It should be DOMAIN1\srv-sub1-inet
Question: why incorrect account name is passed to authentication mechanizm? Computer name on the certificate matches its FQDN and is correct. However, instead of using machine name as specified on certificate, some weird name is constructed and used. Why?
Although I was sure that everything was fine with machine account in AD, I removed and rejoined it to domain. Didn't help.
the error you are getting is:
[2704] 18:44:41:514: NT-SAM Authentication handler received request for DOMAIN1\srv-sub1-inet.SUB1.DOMAIN1.
[2704] 18:44:41:534: ldap_search_ext_sW failed: The specified user does not exist.
the ldap query returns this error from the AD
try dijoining that machine and rejoining it ( that might resolve the issue)
This posting is provided "AS IS", with NO warranties and confers NO rights
The account does exist, othewise we'd be swarmed by a number of users being unable to access internet.
What do you mean by dial-in permissions? Computer account has no such property. Do you mean some policy setting on RAS server properties?
can you doublke check that the calling computer has corresponding account in the AD, and that dial in permissions are enabled for the account
--
This posting is provided "AS IS", with NO warranties and confers NO rights
all routers are in the same forest
ah ok
in this case if you are using machine authentication there needs to be a machine account in AD for the corresponding machine that dial in.
is the machine that dial in joined to the domain1?
--
This posting is provided "AS IS", with NO warranties and confers NO rights
I am using EAP with machine certificates. One router establishes L2TP VPN connection to another router.
During interface setup, yes, it asked me for user credentials and such. But later I changed authentication type on demand-dial interface to EAP (Security-Advanced (custom settings), use EAP). In properties, "Use certificate on this computer" is set. When you right-click the interface and click "Set Credentials", you are given a combo box allowing you to select between existing machine certificates installed. So, I don't get at all what user accounts we are talking about.
yes but still the user your using needs to exist in the AD
are you using smart card authentication? if so how did you manage to issue a cert to the user if it does not exist in the AD?
--
This posting is provided "AS IS", with NO warranties and confers NO rights
What user account are we talking about? Ain't we using certificates for authentication?
the user account you are using does not exist in the domain
the server tries to look up the user in DOMAIN1
and does not find it
double check that the user you are using for this connection exists
--
This posting is provided "AS IS", with NO warranties and confers NO rights
There are attached trace files.
raschap.log is empty
from the error itself I can't tell we need more details.
you have a server cert with the right EKU installed on your server?
can you provide us with trace log from the server side:
run " netsh ras set tr * en" from a command prompt
repro the problem and then post the rastls, iassam, and raschap trace logs that you will find in %windir%\tracing folder
thanks
--
This posting is provided "AS IS", with NO warranties and confers NO rights
When I manually try to establish connection, I receive the following error message:
Access was denied because the username and/or password was invalid on the domain
I use EAP authentication, and correct certificates are specified in DD interface properties. What does that mean by invalid username? Invalid certificates?
TIA,
Dmitry Korolyov
