none
"Windows was unable to find a certificate to log you on to the network contoso..."

    Question

  • Context:

     

    -- Windows 2008 SP2 Server acting as DC / CA / NPS (note: this is a virtual machine running in VMWare Workstation 6.5)

    -- XP SP3 client

    -- Linksys wireless router (WPA compatible) - TKIP, not AES

     

    I am setting up a wireless network, using a combination of WPA-RADIUS / 802.1x / EAP-TLS.

     

    I am at the testing stage so my domain name will be Contoso for the time being. 

     

    When the (test) laptop boots, it obtains an IP address from the WAP (acting as my DHCP server) and can both ping the DC / CA / NPS server and be pinged from this machine (provided I adjust firewall settings as needed).

     

    The laptop "sees" the SSID of the preferred network and attempts to connect automatically.

     

    That, as well as GPRESULT and RSOP.MSC output, demonstrates that Group Policy to this effect is being applied.

     

    The appropriate (COMPUTER) certificate ("Client Authentication" role) is present in the certificate store of the client.

     

    It was installed when the laptop first connected to the network via wired media.

     

    The server has a certificate with the "Server Authentication" role installed.

     

    Event Viewer, set at default levels of logging, does not display any obvious errors (nothing obvious pertaining to the problem in question).

     

    Wireshark (installed on the DC / CA / NPS shows RADIUS traffic among others - LDAP, etc.).

     

    Yet... This message is displayed in a "bubble" above the Wireless Connection icon in the taskbar of the laptop:

     

    "Windows was unable to find a certificate to log you on to the network contoso."

     

    There are tons of references to this online but all those read so far are about people using PSK or some form of authentication OTHER THAN certificate based authentication / 802.1x and unchecking related settings is sometimes given as a solution.

    However, I want to use 802.1x authentication with EAP-TLS.

    This is a screenshot (on Windows Live - SkyDrive) of certificate properties as defined in the GPO used to deploy the cert:

    http://tprkzw.blu.livefilestore.com/y1pNB36_ydr3UNBy0vSu--Ga2fTwjz0l5S91dmn3dnTFQo5ALJNRSBPtPq9FyXPBDFENYt0MkTmSJqtvR0f1kUebDaTm0Fo8HOv/Logon-Prb-01.JPG?psid=1

    Has anyone encountered this problem?

    What am I doing wrong?

    Friday, November 19, 2010 7:19 PM

Answers

  • Hi,

    According to the screen shot you provided, I noticed that the authentication mode is user re-authentication. I know that a computer certificate is available on the client computer. Please confirm if the user has got a valid user certificate.

    Meanwhile, to narrow down the cause of the issue, you can select the computer-only authentication and check the result.

    How to enable computer-only authentication for an 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3
    http://support.microsoft.com/kb/929847

    Hope it helps.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, November 26, 2010 3:09 AM
    Moderator

All replies

  • Hi,

    According to the screen shot you provided, I noticed that the authentication mode is user re-authentication. I know that a computer certificate is available on the client computer. Please confirm if the user has got a valid user certificate.

    Meanwhile, to narrow down the cause of the issue, you can select the computer-only authentication and check the result.

    How to enable computer-only authentication for an 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3
    http://support.microsoft.com/kb/929847

    Hope it helps.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, November 26, 2010 3:09 AM
    Moderator
  • Joson:

    That apparently did it.

    I say apparently because I also made sure that the Radius Server had a certificate with the "Server Authentication" role. It did already, but not one created from the RAS/IAS template (I am not at my test network right now so I can't see the exact name for this). So I added that as well. That did not seem to change anything so I then changed the authentication method as you suggested.

    So, I tend to think that it was changing the authentication to "Computer Only" that did indeed resolve the issue (rather than delayed effect of my first change).

    Wednesday, December 01, 2010 1:20 PM