none
Certificate auto-enrollment failed, unable to connect using EAP-TLS

    Debate general

  • Hi,

    I have a Sub-CA (windows server 2003) installed in my environment and issuing both user and computer certificates to users (win XP). GPO is configured to allow certificate auto-enrollment. Both the certificates are required to connect to my environment's WIFI network that is running on 802.1X EAP-TLS authentication.

    The idea is to use computer certficate (pre-loaded into user device)login first and after login, receive a user certificate during auto-enrollment and re-auth using the user certficate. The problem I'm facing now is the auto-enrollment for user certificate seems to be random.

    I suspect it is due to the 20 rpc high port range set for my Sub-CA. Any suggestions?

    viernes, 29 de junio de 2012 1:07

Todas las respuestas

  • Hi,

    I have a Sub-CA (windows server 2003) installed in my environment and issuing both user and computer certificates to users (win XP). GPO is configured to allow certificate auto-enrollment. Both the certificates are required to connect to my environment's WIFI network that is running on 802.1X EAP-TLS authentication.

    The idea is to use computer certficate (pre-loaded into user device)login first and after login, receive a user certificate during auto-enrollment and re-auth using the user certficate. The problem I'm facing now is the auto-enrollment for user certificate seems to be random.

    I suspect it is due to the 20 rpc high port range set for my Sub-CA. Any suggestions?

    jueves, 28 de junio de 2012 4:46
  • Hello,

    for security better ask in http://social.technet.microsoft.com/Forums/en/winserversecurity/threads


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    jueves, 28 de junio de 2012 7:09
  • Before enabling 802.1x with user re-authentication, you need to make sure that the user already received their certificates otherwise you will end up in a raise condition with the same result you experiencing.

    To troubleshoot autoenrollment, check for errors/failures and successful enrollments in the Application event log on the client machine. Additionally, check if there are any failed request reaching the CA.

    /Hasain

    viernes, 29 de junio de 2012 7:36
  • Is there any other way to auto distribute user certificates to users other then using GPO - certificate auto-enrollment ?
    viernes, 29 de junio de 2012 9:06
  • No, autoenrollment is the primary tool/method to use!

    The feeling I am getting here is that the problem is not using GPO and autoenrollment as such, it is rather the situation where you require user based 802.1x with certificates before the user actually has received the required certificate.

    /Hasain

    viernes, 29 de junio de 2012 12:49