locked
HRA cert subject name RRS feed

  • Question

  • Hi, I am not getting the desired certificate subject name for the HRA NAP enforcement client.

    If the computer is compliant, they are getting HRAserver$@domain.com as the subject name instead of Client1$@domain.com (assuming the client computer name is client 1).

    Consequently, the IPSec authentication failed with the internal server because of subject name mismatch.

    I am using a single box NPS + HRA + Enterprise CA config.

    Any help would be appreciated.

     

    Cheers

    Tuesday, April 8, 2008 4:04 AM

Answers

  • Thanks. I have found the root cause of the problem.

    The cert needs to have the SHA EKU. The NAP client (XP) has the cert with this EKU but I am using the default computer cert template w/o this EKU on the internal Server.

    Creating a new template by duplicating the computer template and including the SHA EKU solve the issues.

     

    Cheers

    Monday, April 14, 2008 5:22 AM

All replies

  • Hi,

     

    This should not cause IPsec authentication to fail unless you have some additional IPsec rules. However, if you'd like to get the client hostname in the subject name, change your certificate template properties, subject name tab, from "Build from this Active Directory Information" to "Supply in the request."  You may need to republish the template as well (delete it from certsrv.msc then do a new...template to issue) - I'm not entirely sure if this second step is required or not.

     

    -Greg

     

    Tuesday, April 8, 2008 10:16 PM
  • Thanks for the reply.

    I have been changing the cert templates subject name without any result, but I did not remove and re-add the template.

    You are right, the subject name should not cause IPsec to fail but it is not working on my demo.

    I have an internal server that I have requested a computer certificate manually and when I ping the server from the XP machine that have pass the health check, it is always showing "negotiate IP security".

    I have verified that the XP workstation has a valid cert from the HRA and the IPSec policy (configured for CA auth) is configured and applied to both machines.

    Do you have any idea why IPSec fails?

     

    Cheers

     

    Friday, April 11, 2008 1:38 AM
  • Hi,

     

    A few things to check -

     

    1) Verify this is a computer cert, not a user cert on both machines.

    2) Verify the certs have the "client authentication" EKU.

    3) Verify that the client has the Root CA (or whatever CA you specified in the rule) in its list of trusted roots.

     

    Beyond this, you might try temporarily changing the rule from require to request just to see if this allows the connection.

     

    -Greg

    Friday, April 11, 2008 3:40 PM
  • Thanks. I have found the root cause of the problem.

    The cert needs to have the SHA EKU. The NAP client (XP) has the cert with this EKU but I am using the default computer cert template w/o this EKU on the internal Server.

    Creating a new template by duplicating the computer template and including the SHA EKU solve the issues.

     

    Cheers

    Monday, April 14, 2008 5:22 AM