802.1x - Cross Forest Authentication Using Certificates
I have two single domain forests. There is an external trust between the domains. I am attempting to test whether a client from Domain B can authenticate to a wireless network at Domain A's location. I have setup a PKI (same offline root; one Enterprise SubCAs for each domain/forest) and setup NPS in both domains. I can get authentication working no problem using Radius Proxies; but I am wondering if it is possible to authenticate Domain B users on an NPS server in Domain A using Certificate Authentication. Here are my results; the last is the one I am trying to resolve/determine. Laptop in Domain B - Authenticates to Domain B RADIUS - Using PEAP-MS-CHAP - SUCCESSFUL Laptop in Domain B - Authenticates to Domain B RADIUS - Using Certificates - SUCCESSFUL Laptop in Domain B - Authenticates to Domain A RADIUS (proxy back to Domain B) - Using PEAP-MS-CHAP - SUCCESSFUL Laptop in Domain B - Authenticates to Domain A RADIUS (proxy back to Domain B) - Using Certificates - SUCCESSFUL Laptop in Domain B - Authenticates to Domain A RADIUS - Using PEAP-MS-CHAP - SUCCESSFUL Laptop in Domain B - Authenticates to Domain A RADIUS - Using Certificates - FAILS The NPS server reports the following message: Reason Code - 295 Reason - A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. I have verified that the Root CA is published to both AD domains; and even to NTAuthCA. Is it possible to authenticate a trusted user/computer using certificates (same Root CA; but different issuing)? Thank you
June 10th, 2010 6:39pm

Hi, Based on my understand, it is possible to authenticate a trusted user/computer using certificate. Please verify that the certificate of the issuing CA in domain B has been imported into the Intermediate Certification Authority store. In addition, the certificate of the issuing CA in domain B must be also published into the NTAuth store in domain A. Add Published Certificates to Active Directory Containers http://technet.microsoft.com/en-us/library/cc731612.aspxThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2010 7:54am

Hi, Based on my understand, it is possible to authenticate a trusted user/computer using certificate. Please verify that the certificate of the issuing CA in domain B has been imported into the Intermediate Certification Authority store. In addition, the certificate of the issuing CA in domain B must be also published into the NTAuth store in domain A. Add Published Certificates to Active Directory Containers http://technet.microsoft.com/en-us/library/cc731612.aspx This posting is provided "AS IS" with no warranties, and confers no rights.
June 11th, 2010 8:07am

Hi, How's everything going? We've not heard back from you in a few days and wanted to check the current status of the issue. If there is anything unclear, please feel free to respond back.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2010 4:29am

Thank you Jason for following up with me. Unfortunately I have not had time to do much work on this. I am certain I had the Issuing CA from domain B both in the Intermediate store as well as NTAuth store. I have done some research and am still unsure of whether it is possible. The following article states: "When using EAP-TLS with certificates as the authentication method, you need to use one or more RADIUS proxy servers that forward authentication requests to the appropriate forest, even when the forests have a two-way, transitive trust relationship." http://technet.microsoft.com/en-us/library/cc778436(WS.10).aspx Thoughts? Thank you.
June 22nd, 2010 5:03am

Hi Chris, I did further research and you are correct that the use of a RADIUS proxy is required for EAP-TLS. It is because part of the process requires a service principal name (SPN) lookup in Active Directory. However, SPN lookups do not work across trusts. When the NPS server receives the computer identity, it is in the form of an SPN (host/ComputerName.DNSDomainName). The NPS server passes the SPN to the local global catalog. If the global catalog is unable to match the SPN to a local domain account, it will fail the request with a No Valid Account Found error condition. Thanks. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2010 11:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics