Solved

L2TP IPSec VPN - Requesting Client Authentication Certificate

Posted on 2006-07-13
12
1,365 Views
Last Modified: 2008-01-09
Hello,

I have setup Windows Server 2003 RRAS for L2TP IPSec VPN and it works when I use a pre-shared key, however I want to make it work with certificates and have been having some trouble.

I have an Enterprise Root CA install on our domain controller and I have had it issue a Computer Certificate for Server Authentication to the RRAS Server, which is also running ISA 2004.

The problem is that I don't seem to be able to get an appropriate certificate to a VPN client (not a member of the domain) - I receive error 786 "The L2TP Connection attempt failed because there is no valid machine certificate on your computer for security authentication"

I can access the certificate server from the client I am trying to setup by connecting the VPN via PPTP or using a pre-shared key and going to http://servername/certsrv but need some guidance on what to from here please.

Really, a step-by-step do this do that guide for the certificate part of this setup (RRAS server and clients) would be useful.

Thanks
Neil
0
Comment
Question by:ITHELP-BOCS
  • 6
  • 6
12 Comments
 
LVL 2

Expert Comment

by:SkUllbloCk
Comment Utility
Hi

1. from the http://servername/certsrv website you need to request a new certificate.
2. If the machine you are using is not logged onto the domain already, a prompt to supply domain credentials appears.
3.  In the initial Welcome screen of the Certificate server, click Request a Certificate, and then click Next.
4.  In the Choose Request Type screen, click Advanced Request, and then click Next.
5.  In the Advanced Certificate Requests screen, click Submit a certificate request to this CA using a form, and then click Next.
6.  In the Advanced Certificate Request screen for the Certificate Template option, select Administrator.
7.  Under Key Options, click Microsoft Base Cryptographic Provider v1.0, Signature for Key Usage and 1024 for Key Size.
8.  Leave the Create new key set option enabled (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
9.  Leave all the other options set to the default value unless you need to make a specific change.
10.  Click Submit.
11.  The Certificate Issued screen should appear. Click Install this Certificate. The Certificate Installed screen should appear with the message:
Your new certificate has been successfully Installed

After the certificate is installed, verify the location of the certificate by using the Certificate (Local Computer) snap-in in Microsoft Management Console (MMC). Your certificate should appear under Personal.
0
 

Author Comment

by:ITHELP-BOCS
Comment Utility
SkIllblock - Thanks for your quick response and appologies for my slow one!

Still not working, I tried to follow your instructions but the screens on CERTSRV I saw were slightly different although similar enough to follow.

Screen shots here;

http://www.ec29.demon.co.uk/Images/screen1.JPG
http://www.ec29.demon.co.uk/Images/screen2.JPG

The certificate is installed on my PC in the correct location but I still get error 786 "The L2TP Connection attempt failed because there is no valid machine certificate on your computer for security authentication".

Any other ideas or items to check?

Thanks again!

Neil
0
 
LVL 2

Expert Comment

by:SkUllbloCk
Comment Utility
alright then maybe the problem lies not with the actual certificate server or the client system, maybe the problem lies with the RRAS server.

what authentication provider and accounting provider have you supplied?
0
 

Author Comment

by:ITHELP-BOCS
Comment Utility
authentication provider = windows authentication
accounting provider = none

allow custom IPSec policy for L2TP connection = enabled with a pre-shared key specified
(would this stop certificate based connections)?
0
 

Author Comment

by:ITHELP-BOCS
Comment Utility
The only option selected on authentication methods is:

MS-CHAP v2
0
 
LVL 2

Expert Comment

by:SkUllbloCk
Comment Utility
ITHELP-BOCS
try remove the custom IPSec policy in RRAS, this maybe the problem.
also make sure that the client vpn connection > properties  > security doesnt have a pre-shared key entered in.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Expert Comment

by:SkUllbloCk
Comment Utility
Just a note
Check the ms website
http://technet2.microsoft.com/WindowsServer/en/Library/f3aadac7-1e97-495b-af62-5d179df2990d1033.mspx?mfr=true

and make sure that those points under error 786 are valid.
0
 

Author Comment

by:ITHELP-BOCS
Comment Utility
Found this Microsoft article very useful and I have now managed to successful a connect a domain member to the L2TP IPSec VPN using certificates rather than a pre-shared key:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7e480471-4480-4175-962c-4d3c27e8c7d2&DisplayLang=en

My problem remains - how do I get a non-domain member to connect? i.e. a users home PC.
0
 
LVL 2

Expert Comment

by:SkUllbloCk
Comment Utility
try these steps for the client system that is not apart of the domain.
http://technet2.microsoft.com/WindowsServer/en/Library/573589b6-8e34-4a64-91d9-54624e725b041033.mspx?mfr=true
(if at first this doesnt work, delete all the certificates that have been assigned to the computer/user, and then try again)
0
 

Author Comment

by:ITHELP-BOCS
Comment Utility
Thanks for your help and suggestions, I have now succeeded in obtaining a certificate on a non-domain member and establishing a connection using it, the following web pages provided the necessary information;

http://technet2.microsoft.com/WindowsServer/en/Library/222d5646-4e81-4efb-af6e-616e9cd3f7db1033.mspx?mfr=true
(Section:Computer authentication by IPSec)

http://www.microsoft.com/downloads/details.aspx?FamilyID=7e480471-4480-4175-962c-4d3c27e8c7d2&DisplayLang=en

http://technet2.microsoft.com/WindowsServer/en/Library/53b05314-a693-412b-b48e-4c10ea6e81661033.mspx?mfr=true

Basically, because we are using our own Enterprise Root CA which isn't trusted by non-domain members by default, it was necessary to also click the following links on /CERTSRV;

1) Download a CA certificate, certificate chain, or CRL
2) To trust certificates issued from this certification authority, install this CA certificate chain.

The CA Certificate Chain should by placed into the Trusted Root Certification Authorities store (the system placed it into the CURRENT USER store by default but I moved it to the LOCAL COMPUTER store) and the certificate issued to the computer from the /CERTSRV request needs to be in PERSONAL/CERTIFICATES (if the USE LOCAL MACHINE STORE box is selected it will be placed into LOCAL COMPUTER as well).

One more question though, I don't want to have to go through the request process using /CERTSRV on every non-domain member computer I want to connect! If I export these certificates to file (on floppy etc) or just request them to file in the first place, should I be able to re-use them on other computers? and have multiple computers connecting simultaneously using the same certificates?

I will be doing more investigation and will post the information if I can get it.

Will shortly be assigning you the points, just want to conclude all the questions while the question is still open.

Thanks again,
Neil
0
 
LVL 2

Accepted Solution

by:
SkUllbloCk earned 500 total points
Comment Utility
Well thats fantastic Neil
I was half way through trying to replicate your situation here in my office, but thankfully now i dont have to do all that tampering.
I had a feeling it might have been with the trusting and location that the certificates were stored.
I came to this conclusing after i had setup a stand-alone CA and issued the certificate to the client PC, on the vpn connection settings for the client i told it to use a smart card or other certificate option, then when trying to connect, i got the error message that the certificate could not be found. After some reading up on MS websites, i found that the certificate issued was being placed in the personal folder as a user certificate, i was playing around with moving and importing the certifiacte to the computer certifiacte store, but still hadnt gotten to the trusted section yet by the time i went home last night.

I suggest you try selecting the advanced certifiacte option save to file, and then also save the Certificate chain aswell.
then try installing those on teh client system.

0
 

Author Comment

by:ITHELP-BOCS
Comment Utility
Haven't had time test using the same certificates on multiple PC's but I ASSUME it would work!

Thanks for the help you provided SkUllbloCk.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now