Hello, Can anybody tell me where I can find information what conditions must be fulfilled that Windows finds a computer certificate in the certificate store? I imported the client certificate as well as the root certificate into the "Local Computer" certificate store. I heared that the subjectAltName must match the full FQDN. I also set the subjectAltName attribute to the FQDN, the common name (CN) to the hostname. Also, the extended key usage is set to client authentication (1.3.6.1.5.5.7.3.2). When Windows need to use this certificate (in my case for EAP-TLS with 802.1x with a wireless connection and WPA enterprise) it just says that Windows is unable to find the certificate. I am trying for a few days now and I can neither find any information on this topic nor anybody who is able to help me :( Please, can anybody give me a hint? Regards, Peter

This depends on the application using the certificate and how it's certificate management is implemented. Usually the root certificate should reside in the Trusted Root Certificate store, and the user/computer certificate in the local personal store. The best way for 802.1x is to configure auteonrollment both for the client and the IAS server. You do have a certificate on the IAS (802.1x) server with the Server Authentication attribute in the certificate, and a client certificate with the Client Authentication attribute? If you could elaborate some more on your setup it would be easier to point you in the right direction. Regards Morten

Dear Lerun, Thanks for your reply. The application using the certificate is Windows with 802.1x (Wireless LAN connection with 802.1x and EAP-TLS enabled). The root certificate (CA) was imported into the Trusted Root Certificate of the Local Computer. Please let me first point out that it works perfectly if I import the client certificate into the local *personal* store (i.e. the local user). But I do NOT want this because the connection needs to be avilable independently of a user (and should be available before logon!) Do I need to import the certificate in the computer's store (where also the root certificate resides). To your second question: I do not have IAS (and even if, I would not want to use auto enrollment). The server is freeradius and the certificates are generated using openssl. But, as said before, I think that I have created the certs the correct way: Chain of trust works, extendedKeyUsage=1.3.6.1.5.5.7.3.2, subjectAltName=FQDN, CN=hostname. Regards, Peter

My experience is only with IAS, but how it usually works is that you have the root certificate in the Trusted Root store, and the computer certificate in the local computer personal store. If you are using a self signed certificate (only in certificate in the chai, i.e generated from openSSL), you need to have the certificate in the trusted root store and in the personal store of the computer to work. There are two personal stores one for the computer and one for the user. Does it work if you import it into the personal store of the local computer?

Dear Lerun, One Problem is: I think we are talking about the same but I lack English translation because of a German Windows... In short: CA certificate in Trusted Root Store of local computer and client certificate in Personal store of User : Works ! CA certificate in Trusted Root Store of User and client certificate in Personal store of User too: Works ! CA certificate in Trusted Root Store of local computer and client certificate in Personal store of local Computer too: Does not work! ... But I need the second one for "system wide" authentication...(AFAIK) Are you runninga setup like this (with IAS)?How do your certificates exactly look like? Thank you again and Regards, Peter

We are running IAS with the Root CA certificate in Trusted Root store of local computer and computer certificate in local computer personal store. Note to get this going you need to set a GPO for the client to do computer authentication only, not computer and user.

Dear Lerun, Ah, ok! So both at the same time is not possible? Maybe that is my issue? What GPO do you mean and how to set? On the other hand: I have heard about scenarios where computer authentication puts you in a kind of guest VLAN with just the DC accessible. Afterwards, after logon, user authentication takes place and puts you in the "real" company VLAN. Regards, Peter

You can use user authentication also, this will then happen after the computer is authenticated. This can be done with regular username/password or user certificates. The user certificate should then reside in the local user personal store. Note this is the default behavior of IAS and no GPO change has to be done. I do assume you have set up a GPO for the client when it comes to using 802.1X (two places in GPO user/machine and in the local security settings? It is also possible to do VLAN tagging (switching), this can be done with the NPS role in Windows Server 2008 (Network Access Protection). When I ran tests on NAP (Network Acceess Protection) I was only able to combine computer certificates with the user authenticating using username/password. The network equipment would then switch to the appropriate VLAN ID based on if authentication was successful or not (or another if authentication failed).

I do assume you have set up a GPO for the client when it comes to using 802.1X (two places in GPO user/machine and in the local security settings? Until now, I did not set up any GPO.Which GPO do you mean and is there a way to set them with a registry key? I have few clients in an old NT domain (Linux Samba) but most of the clients are not in a domain. (I have no ADS etc., so no central GPO as far as I know. this is the reason why I want to deploy the certificates for the clients manually) Regards, Peter

Ah, I see. Depending on what type of clients you have. I.e XP with SP3 you can use the netsh command. http://support.microsoft.com/kb/929847/no See also this tread for some information on registry keys: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21800893.html I do not have much experience setting up 802.1x in a non GPO environment, but I should be pretty much the same.

Dear Lerun, I tried now setting AuthMode to 2 (I use WinXP SP3) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global so this should match the requirements. I even rebooted the machine, tried with different users... Still, Windows does not want to find the certificate. Aaaargh! Is it possible to enable logging etc.? Regards, Peter

Hi, found setup instructions for FreeRADIUS and XP, maybe that will help. http://freeradius.org/doc/EAPTLS.pdf Should also be able to set on tracing on the client with: netsh ras set tracing * enabled Here are some more client tracing commands: http://deployingradius.com/documents/configuration/eap-problems.html Cisco has some good infromation you can use: http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d45a2.shtml Regards Morten

make sure if certificate has private key.http://en-us.sysadmins.lv

Hi, Yes, for sure I have a private key included. I enabled logging now. This is the content of svchost_RASTLS.LOG: [1724] 22:42:29:500: EapTlsInvokeIdentityUI [1724] 22:42:29:500: GetCertInfo [1724] 22:42:43:100: FCheckSCardCertAndCanOpenSilentContext [1724] 22:42:43:100: FGetEKUUsage [1724] 22:42:43:100: Acquiring Context for Container Name: {8CD7EA3B-DE7F-4D86-A9E1-5E2EC9BBEA38}, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1 [1724] 22:42:47:686: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090016 [1724] 22:42:47:686: FCheckSCardCertAndCanOpenSilentContext [1724] 22:42:47:686: FGetEKUUsage [1724] 22:42:47:686: Acquiring Context for Container Name: {DF8CCEA7-60D2-4C8A-90E6-ACF7EFB50432}, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1 [1724] 22:42:52:243: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090016 So the certificate seems indeed not be found. What could be the reason for that? Regards, Peter

This error is consistent with what Vadims was asking, there is something wrong with the keyset for the certificate (most likely missing the private key or something in the store is corrupt). Try using certutil to import the original certificate with the private key into the store again, or use certutil to do a repair of the store. Regards Morten

Dear Lerun, Thanks for the hint. I will also try certutil ... However, yesterday I suddenly managed to get it work though I do not know what I have changed. However, there is one observation: It only worked when I set the AuthMode registry key to 2. Otherwise I got the log entry above. There would not be so much wrong about this but with AuthMode=2 I can not get PEAP working any more! Neither for the same wireless network nor for a different one. But this would be a desaster. It would mean that I can only use machine authentication OR user authentication on the same computer :-( Please tell that this is not the case :-( Regards, Peter

Setting AuthMode to 2 enables only authentication based on the computer certificate. So it's probably the user certificate that there is something wrong with. The user certificate should have the UPN of the user in the certificate and the domain name must be the same as the domain the user is loggon onto. Regards Morten

Setting AuthMode to 2 enables only authentication based on the computer certificate. So it's probably the user certificate that there is something wrong with. The user certificate should have the UPN of the user in the certificate and the domain name must be the same as the domain the user is loggon onto. Dear Lerun, There are no user certificates. This is the setup: 1.) In general computers should authenticate with certificate and EAP-TLS. Because the connection should be available independently of the user for every user of the system. So I guess that I need the discussed Computer certificates. I have installed the certificate+key in the personal store of local computer and the CA in the trusted root store of local computer. Again: The goal is that the wireless connection should work systemwide ! 2.) Besides, users can authenticate via (arbitrary) username/password using PEAP-MSCHAPv2. Is there something wrong with this assumption? When I set AuthMode=2, then (1) works but (2) not. When I delete AuthMode, (2) works (and (1) with certificates in the store of the current user ) but (1) fails. Let us assume that I set AuthMode=2 on a laptop and install the certificates in the local computer store such that (1) works. Now the user carries his laptop to another place where he needs to sign into the wireless network with username/password (e.g. PEAP-MSCHAPv2). According to my observation this would fail. But this can't be true, can't it? So in general my question is: How to enable systemwide EAP-TLS authentication while keeping PEAP-MSCHAPv2 (with arbitrary credentials) intact? Regards, Peter

If nothing is set the default mode is both user and computer are expected to authenticate (depends on how you configure the RADIUS server), authmode = 2 only authenticates the computer. So if you want both user and computer to be authenticated you have to configure the rest of the settings on your RADIUS server to match this assumption. As I understand you are not using IAS or NPS, and I only know how to configure these types of RADIUS servers. For the RADIUS server you are using there should be a method to configure some kind of policies that expect the client to authenticate for computer by using EAP-TLS and for users by susing PEAP-MSCHAPv2. Regards Morten

If nothing is set the default mode is both user and computer are expected to authenticate (depends on how you configure the RADIUS server), authmode = 2 only authenticates the computer. So if you want both user and computer to be authenticated you have to configure the rest of the settings on your RADIUS server to match this assumption. As I understand you are not using IAS or NPS, and I only know how to configure these types of RADIUS servers. For the RADIUS server you are using there should be a method to configure some kind of policies that expect the client to authenticate for computer by using EAP-TLS and for users by susing PEAP-MSCHAPv2. Dear Lerun, Are you sure that this is the case? I do not think so. Here is my explanation why: As said, it works when AuthMode=2. When AuthMode is unset then, both (user and machine authentication) should work. But it does not . When I use the certificates in local machine store (i.e. machine authentication), not even a single message is sent to the RADIUS server! So the problem can't be on the Server side. On Windows side, I only get the balloon on the tray icon with the message "Windows was unable to find a certificate to log you on to the network [SSID]". And the svchost_RASTLS.log contains: [1660] 19:52:24:080: EapTlsInvokeIdentityUI [1660] 19:52:24:080: GetCertInfo [1660] 19:52:28:627: FCheckSCardCertAndCanOpenSilentContext [1660] 19:52:28:627: FGetEKUUsage [1660] 19:52:28:627: Acquiring Context for Container Name: {8CD7EA3B-DE7F-4D86-A9E1-5E2EC9BBEA38}, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1 [1660] 19:52:28:707: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090016 [1660] 19:52:28:707: FCheckSCardCertAndCanOpenSilentContext [1660] 19:52:28:707: FGetEKUUsage [1660] 19:52:28:707: Acquiring Context for Container Name: {DF8CCEA7-60D2-4C8A-90E6-ACF7EFB50432}, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1 [1660] 19:52:28:797: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090016 So Windows not even attempts machine authentication although everything is fine! It only works when AuthMode=2 but in this case I can't use user authentication any more (as far as I understand...) Regards, Peter EDIT: Maybe machine authentication with AuthMode!=2 only works when no user is logged in (i.e. before logon)? Is this the case? But this would be really stupid...

EDIT: Maybe machine authentication with AuthMode!=2 only works when no user is logged in (i.e. before logon)? Is this the case? But this would be really stupid... Stupid or not this is how the computer gets to communicate with the DC to authenticate the user. Computer authentication always happens before the user can be authenticated. With wired 802.1x, the computer will not even have an active network port before it passes authentication with the RADIUS server. The RADIUS server gives the switch the go ahead to activate the nettwork port (or in your case allow connection to the wireless nettwork). To do user authentication after still under the controll of the RADIUS server you will have to configure the authentication type. Also the RADIUS have to be able to confirm the identity (either with a 3.party user catalog or communicate with AD through a DC). So I'm sorry if this is not to helpfull, but I only know how the MS stuff works. Regards Morten

Dear Lerun, Thank you for all your answers. I think I now know how this stuff works and I think it does not work the way I would like to (or find it useful or intuitive...). Just think about simple WPA-PSK encryption: Any user on the system just enters the key and if it is correct it is stored in system and any user (and the system itself before logon!) can use the connection. I thought this is the case with system certificates and this would be the only good way in my opinion. In my opinion the one implementation which would make sense in general would be: Is a computer certificate in the store? If yes use it and continue (before logon: break). If no, continue Is a user certificate in the store of the currently signed-in user? If yes, use it and maybe do re-authentication with user cert/credentials and break. Else continue If none is found, show Message "No certificate could be found" This is how it really works: Computer authentication works only before logon So the checkbox "[x] Use computer authentication if available" is confusing in the best case (and wrong in the average case) After logon, only user authentication works. This means that each user on the system needs a certificate (!) including administrator This can be overridden by AuthMode=2, but this is system-wide, implying that for a different wireless network user authentication won't work either. So AuthMode is not an option (except the computer is only used in one 802.1X network) This implies too that as soon as there is a computer certificate and no user certificate the network just does not work! This way it is not possible to use e.g. EAP-TLS with certificates for computers and PEAP-MSCHAPv2 with username/password for users So my decision is to forget 802.1X with Windows; I will keep using the good old WPA-PSK. 802.1X might work with wired-only computers in a corporate environment but as soon as a single laptop joins which needs to be able to join different 802.1X networks everything is broken. Sad but obviously true :-( Thank you anyway! Regards, Peter PS:I marked your reply with AuthMode=2 as answer because it solved the problem in principle.