locked
Ipsec enforcement problems RRS feed

  • Question

  • Hi everyone,

    I make a lab test with Ipsec enforcement with 1 CA server with AD, DNS, 1 Subordinate Server with HRA, NPS and 2 vista computers.

    I have some problems, when I applied a Ipsec Policy on my secure network. My two clients can not arrive to communicate, when i configured my firewall in required inbound and request outbound authentication .

    Of course, I have unlocked ICMP protocol on my clients with Firewall rules.

    I verifiy, client have certificat, and NAP policy settings but when i make netsh nap client show state : Ipsec was not enable; otherwise when i make netsh nap client show config or grouppolicy , Ipsec was enabled.

    On a client, I try to make a ping on this address IP but they can not responded.

    I have an another question, computer(server) in boundary network make NAP policy setting like Ipsec enforcement enable, Security center, ...etc.

    Thanks for this helps !!!

    Wednesday, March 5, 2008 7:24 PM

Answers

  • Hi,

     

    Make sure the certificate that your clients obtained is the domain authenticated certificate. This certificate will have purposes of system health authentication and client authentication.

     

    You should probably just remove the "nondomainHRA" URL from the list of trusted servers entirely. This was done in the step by step guide to demonstrate a workgroup certificate. Check event viewer on the client computers to make sure you are getting a certificate from the DomainHRA Web site on both clients.

     

    I think your second question is asking why the server in the boundary network is getting NAP client Group Policy settings applied. Is this correct? This can happen if you enabled these settings in default domain policy instead of creating a new GPO, or if you didn't remove "authenticated users" from the new GPO.

     

    -Greg

    Thursday, March 6, 2008 7:05 AM

All replies


  • execute the command "napclcfg.msc" from run menu on your vista client and verify that under the "Enforcement client" Ipsec enforcement is enable. Next in the same window verify the "URL" under the "trusted HRA server" (is it same as you have configured in GPO). What events you are getting on your NPS server when your VISTA client join the domain.

    regarding Boundary network, are you talking for NPS server, in NPS server NAP cleint setting, security center setting is not required, and I think "security center " service is not available on NPS server..

    Regards
    Brijesh Shukla
    Thursday, March 6, 2008 12:19 AM
  • Hi,

     

    Make sure the certificate that your clients obtained is the domain authenticated certificate. This certificate will have purposes of system health authentication and client authentication.

     

    You should probably just remove the "nondomainHRA" URL from the list of trusted servers entirely. This was done in the step by step guide to demonstrate a workgroup certificate. Check event viewer on the client computers to make sure you are getting a certificate from the DomainHRA Web site on both clients.

     

    I think your second question is asking why the server in the boundary network is getting NAP client Group Policy settings applied. Is this correct? This can happen if you enabled these settings in default domain policy instead of creating a new GPO, or if you didn't remove "authenticated users" from the new GPO.

     

    -Greg

    Thursday, March 6, 2008 7:05 AM
  • Thanks Greg, you are right.

     

    My computer received a unauthenticated certificat, I don't know how, but you have right.

     

    Have you an idea to step for my computers have automatically an Authenticated certificate purposes of system health authentication and client authentication.

     

    I see in event viewer on computer and server and I have not error.

     

    Thanks for your help again Greg

     

     

    Thursday, March 6, 2008 9:05 AM
  • Hi,

     

    If the client computer is configured to contact the DomainHRA Web site first, and there is no error, you should get the correct certificate. If the client contacts the NonDomainHRA Web site first, it will get this certificate and won't try to obtain one from the DomainHRA Web site.

     

    To be safe, just remove the NonDomainHRA Web site from the client configuration (in Group Policy settings assuming you are using Group Policy). Then do a gpupdate /force on the client to refresh Group Policy. This should download the correct certificate (it happens when you refresh Group Policy).

     

    On the client computer, open a command prompt and type netsh nap client show group, and you should see only this URL:

     

    https://nps1.contoso.com/domainhra/hcsrvext.dll

     

    You should also see the correct certificate in the certificates snap-in.

     

    -Greg

     

    Thursday, March 6, 2008 6:22 PM
  • Yes, you are right.

    I found my problem where come from. My SSL certificat for Web Service don't work so when a computer intented to received a certificat health. So I try to configure correctly my server web certificate with included a SSL certificated but they don't work.

    I have a message who say "IIS7 Complete Certificate Request Fails with Error: ASNI1 bad tag value met. 0X80009310b (ASN:267)"

    So
    computer can not arrived to receive a Authenticated Certificat Authentication, but only Unauthentifcated Certificat Authentication.

    Have you a step by step to configure SSL correctly ?


    Thanks for your help.


    Thursday, March 6, 2008 10:21 PM
  • Hi,

     

    If you are using the most recent version of the step by step guide (Feb 2008), it has instructions on how to configure an SSL certificate on HRA. If you didn't create the SSL certificate before installing HRA, you can still add one afterward. Just follow the instructions to enroll the HRA with an SSL certificate, and then use IIS Manager to associate the SSL certificate with port 443 on the HRA.

     

    See http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2686441&SiteID=17 for further information. Note: you don't need a client SSL certificate because the server setting is "ignore" client certificates. You only need the server SSL certificate on HRA.

     

    -Greg 

     

    P.S. You can also simply not use SSL if you wish. Change the URL from https:// to http:// and it will work fine. You'll need to uncheck the "require SSL" check box to do this.

    Thursday, March 6, 2008 11:05 PM
  • Ok, I make this.

     

    Big thanks Greg !

     

    Friday, March 7, 2008 8:37 AM