Solved

A Certificate could not be found that can be used with this Extensible Authentication Protocol

Posted on 2008-10-24
8
10,182 Views
Last Modified: 2012-11-20
I'm setting up a new domain controller with IAS with certificate services for wireless authentication for our wireless users. When I select the EAP type in my 'Remote Access Policy' it gives me the error of "A certificate could not be found that can be used with this Extensible Authentication Protocol." There is a certificate install on the server, but I can't get past this....any help would be appreciated.
0
Comment
Question by:StaffordIT
8 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22796524
I'm guessing you don't have the correct EKU(s) assigned in the cert that you are trying to use.  I think this article might help you out some:
http://support.microsoft.com/kb/814394
0
 

Author Comment

by:StaffordIT
ID: 22796681
How do I go into my certificate authority and make the change? I'm not too familiar with this...when i setup my enterprise subordinate CA, i went into the Certificate Authority, and right clicked on the server name and selected Renew CA Certificate, and it shows the server has a certificate if i right click on the server and go to properties, and it shows certs there. Shows that the certs were issued by our enterprise root CA.
0
 

Author Comment

by:StaffordIT
ID: 22797617
Ok, I got it working! apparently the domain controller took longer than i expected to receive a certificate from the root CA?? I'm not sure why it took as long as it did, but the certificate is there now. I appreciate all of your help!
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22797777
You can look at the cert on the Details tab and look for Key Usage and Extended Key Usage fields to see what it actually covers.

Sorry if I'm way off base here, but your description of how you checked your cert set off a couple alarms in my head:
1) When you say you check the cert on the CA, you aren't trying to do this just using the CA cert, correct?
2) You mentioned checking the cert on the CA - normally most people check the cert on the server.  The cert was actually manually installed on the server after submitting the CSR file through the certsrv page, correct?  You can check certmgr.msc in the Personal store for existing certs, or from within many applications such as IIS to make sure it is installed there.

The standard templates within certtmpl.msc are User or SmartCard User for client authentication, and Web Server or Workstation for device authentication.  You can right-click - duplicate if you wish to create a new template to change values that you are not able to do within the standard template.

After choosing the desired templates, they must be Published in AD - open certsrv.msc and point to your issuing CA and then select Templates.  See if it is listed there or not - if not right click Tempaltes - New - Cert Template to Issue - select desired.  Note: to un-publish, right click the template name in this area and delete - this will not delete from certtmpl.msc and can be republished as desired.
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 31

Expert Comment

by:Paranormastic
ID: 22797918
Sorry, took a little while to type up my last post - glad to hear everything is working for you now!
0
 

Author Closing Comment

by:StaffordIT
ID: 31509650
Thanks for the explanations...this really helped me clear up my issue, and also another issue i was having with setting the certificate expiration time with the templates...thanks again !
0
 

Expert Comment

by:gopher_49
ID: 24077096
thanks so much for you help...  Your help and the steps you provided determined and/or assured me that my new instance of my CA server was functoning and all old traces of it where gone.  I'm assuming all of my problems started when my web server type cert was damaged or missing in the EAP profile page of IAS.  I totally forgot there was a web server cert issued to the IAS server.  Anyway, it's working extremely well know.  I plan to make notes and convert the web pages I used to fix this to PDF files so I always have them backed up for future reference.

Thanks
0
 

Expert Comment

by:Deuto
ID: 38618125
Also try this option. This fixed it for me after trying many things including server re-builds for several days (click on link below):

Missing name in template subject field

The error you are seeing is due to the fact that the server certificate is considered valid (for the lack of a better word).
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now