• RELEVANCY SCORE 4.34

    DB:4.34:Cert Based Ipsec Vpn Server Using Windows Server 2008 as




    Hi All,
    I have self generated CA cert using OpenSSL. Now I want to setup Cert based IPSec VPN Server in Windows Server 2008 using this cert. I have already setup and tested Pre-shared key IPSec (Have setup AD too).
    Is there any guide anyone can point me for help in configuring for cert based? I tried setting up NPS etc but could not get lot to work. I also tried to setup ADCS but could not import in the OpenSSL cert. Must i setup ADCS or NPS?
    I basically want to use the OpenSSL CA cert to setup cert based IPSec VPN server in Windows Server 2008. Online resources are fragmented, anyone could direct me to the correct guide?
    Thanks in Advance,
    Perumal

    DB:4.34:Cert Based Ipsec Vpn Server Using Windows Server 2008 as

    Hi Perumal,
    Yes, your NPS server must need to install certificate.
    Please refer to
    thisguide to configure L2TP/IPsec-based Remote Access VPN .
    BTW, I suggest you setup
    SSTP VPN in Windows 2008 or
    IKEv2 VPN in Windows 2008 R2 for
    these reason.Regards,
    Rick Tan

  • RELEVANCY SCORE 3.94

    DB:3.94:Windows Server 2008 Cert Based Ipsec 1p




    Hi All,
    Previously I have already setup Active Directory and Network Policy and Access Services, Routing and Remote Access etc in Server 2008 and have tested IPSec VPN using Pre-shared key from a client successfully.
    Now I want to implement cert based IPSec VPN, how do I go about setting up Server 2008 for this? I have installed a external CA pub cert into Windows Server 2008 and I can view it at the Local Computer's Trusted Root Certificate Authorities.
    I have tried adding Active Directory Certificate Services but under the CA type I could not choose this CA. Similarly I have tried following instructions from: http://araihan.wordpress.com/2009/10/06/configure-l2tp-ipsec-vpn-using-windows-server-2008/
    which shows the steps to install Network Policy Server and the Health Registration Authority but it shows that no Certificate Authorities has been found installed in this domain even though I have installed the CA cert which can be viewed at the Local Computer's
    Trusted Root Certificate Authorities.
    In summary I have a external CA pub cert and the corresponding user cert (Both are not Microsoft based). Now I want to setup the IPSec server in Windows Server 2008 to be cert based so that I can connect to it using a client with the corresponding user cert.
    Few questions:
    - How do I do the setup? For IPSec Pre-shared key it can be done easily as shown here:
    http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/A_4281-Windows-2008-RRAS-VPN-L2TP-with-Preshared-Key-IPsec-creation.html
    How about cert based? How do I link to the external CA? Must i link to the AD users?
    Thanks In Advance,
    Perumal

    DB:3.94:Windows Server 2008 Cert Based Ipsec 1p

    I don't know the answer for sure here, but I think you need to get a certificate (both private/public) key from the External CA to the NPS server. The certificate must be for that specific application, called Enhanced Key Usage (EKU). I think you should
    ask this question on the following forum:
    http://social.technet.microsoft.com/Forums/en-SG/winserverNIS/threads

  • RELEVANCY SCORE 3.08

    DB:3.08:Anyconnect Cert Warning Error When Changes To Xml File Are Made. cd





     

    Hi Everyone,

     

    We have valid cert from CA and it is successfully installed on the ASA associated to ASA outside interface.

    While using anyconnect ipsec IKeV2 with any connect pre deployment when i make change to anyconnect profile on ASA and user

    connects first time he gets warning message  below

     

    Security Warning Untrusted VPN Server Certificate

     

    Options are

    Connect Anyway             Cancel Connection

     

    I click on connect anyway and anyconnect is connected.

    Verified  that CN is set to FQDN.

    We are not using SSL certificate.

    when i connect second time above cert warning error does not comes.

    This cert warning error comes only when changes are made to anyconnect profile and user connects again to ASA.

    We are not using cert based authen.

     

    Any ideas how can i fix this issue?

     

    Regards

    MAhesh

     

    DB:3.08:Anyconnect Cert Warning Error When Changes To Xml File Are Made. cd


     

     

    Hi Marvin,

     

    Issue is solved.Cert was not linked to ASA physical interface.

    Ran the below command

    ssl trust-point my.digicert.trustpoint outside

    after adding above config i do not see any invalid cert warning messages at all.

    Do you why we need to link cert at two different places one is anyconnect and other is outside interface?

    Thanks for guiding me step by step to fix the issue.

    Regards

    MAhesh

  • RELEVANCY SCORE 3.07

    DB:3.07:On Windows Server 2012 Vpn, L2tp/Ipsec Based Site-To-Site Servers Cannot Select Certificate In Set Credentials Of Remote Router Interface 7z


    I have set-up a lab.. scenario for site-to-sote vpn servers... cannot connect vis RRAS with following configurations on both servers:
    after After making VPN server via RRAS configuration wizard created Remote Router interface with Type of VPN L2TP/IPsec and selected Authentication type EAP with Microsoft smart card or other certificate...
    Now the error is when I right click Remote Router interface and select Set Credentials... to select certificate it gives ERROR

    The Extensible Authentication Protocol type configured on the remote access connection does not support single sign- on.I
    Works on all Windows server 2000/2003/2003 R2/ 2008/2008 R2... TESTED

    want to use L2TP/IPsec certificate based EAP authentication but cannot select the certificate due to error...

  • RELEVANCY SCORE 3.02

    DB:3.02:Looking For Windows 2008 Audio Training j7


    Hi, I've finished my first cert thanks to audio prep courses for my daily commute. I haven't found any Windows Server 2008 courses yet... has anyone found any yet?Thanks

    DB:3.02:Looking For Windows 2008 Audio Training j7

    I am cheep.http://learning.microsoft.com/Manager/Catalog.aspx?clang=en-USdtype=TableSort=PublicationDateDescendingpage=1search=Windows%20and%20Server%20and%202008Has many low cost and many free training that you may be interested in. Then of coure there are many website to search for material. http://google.com
    MCSA, MCTS, MCITP, MCDST, MCP, A+, Network+ Tim

  • RELEVANCY SCORE 2.97

    DB:2.97:Poor Training Clinic Introducing Security And Policy Management In Windows Server 2008 mm


    I am just going through the Introducing Security and Policy Management in Windows Server 2008 clinic to learn something about this subject and I was shocked at the amount of acronyms in use, at points the training just seems a long string of acronyms.I have just been on the How Noncompliant IPSEC-Based NAP clients connectBelow is a part the transcript :-In this process, the IPSec NAP EC on the client first forwards the SoHRs to the NAP Agent for remediation. The NAP Agent then forwards the updated list of SoHs to IPSec NAP EC, which then passes it to HCS. Next, HCS forwards the list of SoHs to the NPS server. The NPS server then passes the SoHs to the NAP administration server for validation.The above may be a technically accurate description of what happens but for learning purposes seems very poor, especially when someone is reading this out.Surely we can do something better in this day and age in regard to training.A sort of plain english society for computer training.Regards,Andrew

  • RELEVANCY SCORE 2.96

    DB:2.96:Ipsec Breaks Multi-Packet Smbs. cz


    relocated from general
    IPSEC breaks multi-packet SMB's. A packet sniffer shows that the same packets are recieved by the client. that is, theunencrypted IP payload is exactly the same as the encryptedESP payload.
    Because of the problem when we turn IPSEC on and request the directory-listing we get the following:

    Without IPSEC it works just fine:

    The client is our Windows 2008 R2 Remote Session Host Server.
    And the file-server is Ubuntu 10.04.3 LTS with Samba version 3.4.7.

    DB:2.96:Ipsec Breaks Multi-Packet Smbs. cz

    IPsec seems to work fine with other TCP-based protocols.

  • RELEVANCY SCORE 2.96

    DB:2.96:Ipsec Tunnel To A Windows 2008 R2 Server zz


    I have an application that uses FTP to a win2k8r2 server. I'd like to setup an IPSEC tunnel to the windows server to encapsulate this traffic.I've configured IPSEC in Solaris before, but not in LINUX. The implementation eludes me. I've searched online and not found anything that appears to work.anyone got any ideas or secret documents that lines out how to do this?

    DB:2.96:Ipsec Tunnel To A Windows 2008 R2 Server zz

    I set up persistent tunnels on my Linux servers as initd respawn daemons.For example, in /etc/inittab:
    # tunnel local port 1522 traffic via server 10.2.0.2 to a remote db on port 1521 at 10.1.0.1t1:35:respawn:/usr/bin/ssh -N -L 1522:10.1.0.1:1521 tunnel@10.2.0.2
    For such tunnels I typically create a tunnel o/s user on the server handling the tunnel - and make it a non-interactive user (/sbin/nologin) and use authorized_keys for authentication. This makes identifying and managing tunnel sessions on servers easier in my view.If you make a change to /etc/inittab, use telinit q to tell the initd daemon of the change.

  • RELEVANCY SCORE 2.93

    DB:2.93:2008 Server, Ipsec, Certificates And Crls 1x


    Hi All.I've jsut finished building my virtual test lab (VMWare VSX 3.5 with 2 nics bridging from public to a dmz segment).  Everything is running great including both SSTP and IPsec/L2TP mode vpn'ing, except for one small problem.Once the Client is connected to the TEST domain, it's issued with an IPSec certificate which it uses to negotiate the tunnel.  However the client/server handshake is not checking wether the cert has been revoked, and therefore when i revoke the certificate on my DC it's still allowing the client to use it, and get onto the network.I've executed the following command and it's made no difference to the way the server works:netsh ipsec dynamic set config strongcrlcheck value=2My Certificates are giving the correct and valid CRL path which is accessible, however i'm concerned there must be something else that needs to be done to get 2k8 RRAS with x.509 enterprise CA to revoke it's certificates properly?Whislt i'm on the subject - I've found the Using l2tp setting in the NPS policy definition conditions and have created a special policy for these l2tp/ipsec clients, but is it posisble to differentiate clients on wether they are using IPSec or SSL encryption?RegardsMartin Christopher

    DB:2.93:2008 Server, Ipsec, Certificates And Crls 1x

    Thanks for the pointers brian.I've managed to lock that down nicely now.  One more question - is it possible to set SSTP Only anywhere in the network connection policy?   I've specific pptp and l2tp policies but the SSTP is evading me :(RegardsMartin Christopher

  • RELEVANCY SCORE 2.90

    DB:2.90:Ipsec Secure Communications Mixed Windows Server 2008/Windows Server 2003 3c


    I would like to know if there is any documentation on how to get IPSec secure communications working in a mixed Windows 2003 Active Directory with Windows 2008 servers running the Advanced Firewall Security and Windows Server 2003 using native IPSec policies.
    I want to use digital certificates for authentication instead of Kerberos. I want to use a Windows Server 2003 for my Root CA and use Subordinate CA on Windows 2008 to generate health and authentication certificates.

    DB:2.90:Ipsec Secure Communications Mixed Windows Server 2008/Windows Server 2003 3c

    There's a webcast on Best Practices for Security: Security360 Webcasts called Building a
    Secure, Connected Infrastructure with Digital Certificates that might help.

  • RELEVANCY SCORE 2.87

    DB:2.87:Ipsec Deployment Options 8f


    Can you give me a list if how to deploy IPSec using Windows Server 2008?
    i.e. using group policy, using digital certificates, etc.
    We want to implement IPSec in our environment and we want to know the different options we can consider.

    Thank you.

    DB:2.87:Ipsec Deployment Options 8f

    There are some questions you need to answer before you start to deploy an IPSec implementation:

    What is IPSec going to be used for? (Site-to-Site tunneling, packet filtering, VPN, etc.)
    How are you going to deploy the IPSec Policy? (most likely through a GPO)
    How are you going to deploy the certificate? (most likely through auto-enrollment)

    There are also a lot of other questions to ask yourself. For instance if you are going to be using IPSec for packet filtering:

    What protocols are going to be included? (TCP, UPD, ICMP, etc.)
    What ports?

    If your going to select auto-enrollment for your certificate deployment option:

    What computers are going to participate in the policy?
    What OS's are those computers running?

    The info Mr. X provided should get you on your way...

  • RELEVANCY SCORE 2.87

    DB:2.87:Ipsec X Tmg 3a


    Amigos boa tarde,
    Preciso implantar o IPSEC em um cliente, atraves de GPO em um cliente que tem no ambiente dele o TMG 2010, gostaria de saber se pode ter algum problema com o TMG a implantao do IPSEC, vou usar o protocolo kerberos como autenticacao, para
    todo ambiente sobre tcpipV4.
    O cliente usa dominio e tem windows server 2008 R2
    Obrigado

    DB:2.87:Ipsec X Tmg 3a

    Como nosso amigo falou, interessante fazer em lab primeiro. Crie uma regra no TMG, a primeira, permitindo todo trafego de suas redes protegidas para suas redes protegidas e teste.

    Lembre, que voc esta atestando que confia na sua rede interna assim.

    Abraos,

  • RELEVANCY SCORE 2.86

    DB:2.86:S/Mime Certificate Work On Windows Xp/Outlook 2010, But Doesnt On Windows 7/Outlook 2010 c7


    我响自己cert server create 咗一張cert(private and public)再入落Windows XP/Outlook 2010,冇問題

    但我用同一張cert 入Windows 7/Outlook 2010,咁就認唔到.Why?

    Server 用緊 Windows server 2008 / Exchange 2007

    DB:2.86:S/Mime Certificate Work On Windows Xp/Outlook 2010, But Doesnt On Windows 7/Outlook 2010 c7

    我响自己cert server create 咗一張cert(private and public)再入落Windows XP/Outlook 2010,冇問題

    但我用同一張cert 入Windows 7/Outlook 2010,咁就認唔到.Why?

    Server 用緊 Windows server 2008 / Exchange 2007

  • RELEVANCY SCORE 2.86

    DB:2.86:Ipsec Certificate For Non-Domain Computer cx


    I am trying to get a certificate installed on a Windows XP machine that is not on the domain to be used for an L2TP/IPSec VPN. I have an enterprise CA running on Server 2008 R1 and my domain connected computers are getting autoenrolled for Computer
    and IPSec certs and they can successfully connect to VPN using their autoenrolled certs.
    For the moment I am able to connect this non-domain member PC using a PPTP VPN where I then have access to the CA's web enrollment pages (The CA's web enrollment page is not directly accessable from the internet and currently can only be accessed internally)
    but I still can't seem to get a cert that works. I had installed an IPSec (offline request) cert but it doesn't work. I can't issue Computer or IPSec certs through the web page.
    I installed adminpak on the Windows XP client so I could use certreq but I can't seem to figure out how to formulate the .inf file to use with certreq. Per this thread:

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/29f00a04-3412-42f1-b364-c89e4a1b5794/I tried using an .inf file that looks like this:
    [Version]
    Signature= $Windows NT$
    [NewRequest]
    RequestType = PKCS10
    ProviderName = Microsoft Software Key Storage Provider
    Subject = CN=darktower
    KeyLength = 1024
    MachineKeySet = TRUE
    KeySpec = 2
    KeyUsage = 0x80
    [EnhancedKeyUsageExtension]
    OID = 1.3.6.1.5.5.8.2.2 ;IP Security IKE Intermediate
    OID = 1.3.6.1.5.5.7.3.2 ;Client Authentication
    But apparently something about it is formated for a newer version of the certreq utility because I get an error:
    C:\Documents and Settings\admincertreq -new
    certreq.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
    1401.6158.0: 0x80090019 (-2146893799)
    1401.6952.0: 0x80090019 (-2146893799)
    1401.7080.0: 0x80090019 (-2146893799)
    Certificate Request Processor: The keyset is not defined. 0x80090019 (-2146893799)
    [RequestAttributes]

    DB:2.86:Ipsec Certificate For Non-Domain Computer cx

    I do remember reading about that. But I used default templates for most of my certificates, the only exceptions being a modified template for the VPN server itself and the IPSec (offline) template which I also modified. So I don't know if that
    means the new CryptoAPI is not used on any of them or not.
    At any rate I did find the solution. There was a netscreen VPN client (for Juniper firewall) installed on the non-domain PC and that application was apparently blocking IPSec communication. I discovered this when I could not get one of the domain
    joined computers to work until I removed the netscreen app. So I went back and removed it from the non domain PC and suddenly the L2TP/IPSec VPN worked fine using the IPSec (offline) cert I had already generated and installed.

    Edit: Oh I think I understand you to be saying that the reason I am getting the error when I try and use that .inf file with certreq is the Cryptography Next Generation. So I tried it again and removed that line from the .inf file and it worked
    to generate a new request so you are correct. Thanks for that.

  • RELEVANCY SCORE 2.86

    DB:2.86:Creating A 5 Year Ssl Certificate For Iis With Makecert ma


    I need to create a 5 year SSL certificate with makecert and apply it to my IIS server.
    Sometimes when I create a cert they don't work.
    Looking for the best step by step info on how to make a cert with makecert or other recommended tool, so it works the first time without a lot of trial and error, troubleshooting and debugging.
    This will go on a Windows 2008 R2 Enterprise server running IIS. We don't want anyone accessing IIS on it without an SSL Cert.

    DB:2.86:Creating A 5 Year Ssl Certificate For Iis With Makecert ma

    Hi,
    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
    TechNet Subscriber Support
    If you are
    TechNet Subscription
    user and have any feedback on our support quality, please send your feedback
    here.Cataleya Li
    TechNet Community Support

  • RELEVANCY SCORE 2.85

    DB:2.85:Peap Tls With Computer Cert And Nps? d7


    I setup a Windows Cert server, and NPS server running Win 2008R2, in a AD domain. I am trying to have my wireless clients use Computer based certificates, however my NPS server is not seeing it as a proper cert for authentication.
    I am able to issue a user based cert ok and it sees it, and authenticates just fine. So I know there is no problems with the cisco wireless, or the NPS server as a whole.
    From what I have seen, to make a computer cert, on the PKI server, I right click on the Workstation Authentication Template, and create a new one, change permissions, the Subject name is common name (I have tried DNS and Fully Distinguished name as well) and make sure the alternate subject name is DNS.
    I then go into the CA portion and create a new certificate template to issue, I select the one I created.
    I then go to the client and request a new cert. Select the cert I made, then restart wireless, but instantly it then comes up sayin that it is unable to locate a cert for the wireless network.
    I have been banging my head on this for sometime. It must be something I am missing with the computer cert since I was able to make it work with the user cert with no problems.
    Thanks for any assistance!

    DB:2.85:Peap Tls With Computer Cert And Nps? d7

    Hi!
    I have exact the same problem, everything works fine with user-cert but with only computercert it won´t work. Did you got a solution?
    Mikael

  • RELEVANCY SCORE 2.85

    DB:2.85:Windows Server 2008 Standard And Encryption? 9f


    Hello, I am currently performing some research and I am curious if anyone has info on the improvements in Windows Server 2008 when it comes to encryption. I'd like to find out if it EFS has been improved for a shared key/cert method; so that I can start recommending this as a feature. Managing EFS in a shared-key/cert environment (in 2003) proved to be a near impossible task, and I am hoping that Microsoft improved their support. Also, is there policy based encryption? As in, can you set a policy so that all files in shared folder X are encrypted against key/cert X? Any input is appreciated. Thanks, MattWater in the Machine!

    DB:2.85:Windows Server 2008 Standard And Encryption? 9f

    Hi,
     
    As far as I know, there is no group policy for encrypting files or folders. However, if you encrypt a folder any select apply changes to this folder, subfolders and files, then all subfolders and files in the folder will be encrypted automatically.

  • RELEVANCY SCORE 2.84

    DB:2.84:Need Assistance In Vpn Setup pf



    Reading over this forum, seems everyone has trouble setting up VPN access on the SA540. I'm no different.

    One thing I DID figure out is, the quickVPN client works much better if you delete any IKE and/or VPN profiles first. Seems backwards I know, but if there's a a manual setup in the SA540, quickVPN sits there and gives me errors all day long. Remove setup, and it works.

    Now my particular issue is, I need to establish IPSec or SSL VPN with Windows 7 / XP built-in VPN. QuickVPN users can't be stored remotely on a RADIUS server, and this is an issue I can't work around.

    I'm thinking there's a connection issue due to the "local gateway" and "remote endpoint" settings. No idea what these should be set to, and the Admin Guide didn't help. As far as I can tell, there isn't a remote endpoint setting to be had, because these are remote users connecting from random IPs from across the internet.

    Second issue is, having some serious trouble getting certificates to work. We don't have a PKI established anyway, but I created a lab setup with Server 2008 R2 and managed to create and upload a local cert, machine cert (to client) and a private CA cert. The SA took the pertinent certs, but client VPN either says "server certificate is not trusted" in the case of QuickVPN, or if I try connecting over L2TP/IPSec "tunnel failed - a certificate chain started processing but failed". Very annoying.

    DB:2.84:Need Assistance In Vpn Setup pf


    Hi Patrick

    From your description SSL VPN probably the best solution.

    It does support RADIUS server, and you don't need a VPN client

    to be installed on your Wndows. A Web browser is good enough.

    Thanks

    Henry

  • RELEVANCY SCORE 2.83

    DB:2.83:Vpn: Ipad Ipsec And Microsoft Tmg 91


    I have problem with connecting to my ipsec vpn on microsoft TMG.
    When i try connect (on ipsec with certificate) from windows xp and win7 to this vpn I dont have any problems.

    On My ipad I can only connect on L2tp with preshared key, but on ipsec with certificate still nothing. I try connecting on two certificates: on the same whot I have on pc, and on new only to ipad. On iphone configuration tool i install all certificates (CA root, CA sub, VPN on TMG, client cert with client authentication). In my cert i have external crl. I try to on certificate with additional SAN-s (VPN server FQDN and IP address)When I try connect on ipad to tmg ipsec vpn I found that error on logs: EventId: 4653 An IPsec main mode negotiation failed. Local Endpoint: Local Principal Name: - Network Address: x.x.x.x Keying Module Port: 500 Remote Endpoint: Principal Name: - Network Address: x.x.x.x Keying Module Port: 500 Additional Information: Keying Module Name: IKEv1 Authentication Method: Unknown authenticationSo maybe any one can help me ? Whot I do wrong ? Thanks a lot.

    DB:2.83:Vpn: Ipad Ipsec And Microsoft Tmg 91

    I have problem with connecting to my ipsec vpn on microsoft TMG.
    When i try connect (on ipsec with certificate) from windows xp and win7 to this vpn I dont have any problems.

    On My ipad I can only connect on L2tp with preshared key, but on ipsec with certificate still nothing. I try connecting on two certificates: on the same whot I have on pc, and on new only to ipad. On iphone configuration tool i install all certificates (CA root, CA sub, VPN on TMG, client cert with client authentication). In my cert i have external crl. I try to on certificate with additional SAN-s (VPN server FQDN and IP address)When I try connect on ipad to tmg ipsec vpn I found that error on logs: EventId: 4653 An IPsec main mode negotiation failed. Local Endpoint: Local Principal Name: - Network Address: x.x.x.x Keying Module Port: 500 Remote Endpoint: Principal Name: - Network Address: x.x.x.x Keying Module Port: 500 Additional Information: Keying Module Name: IKEv1 Authentication Method: Unknown authenticationSo maybe any one can help me ? Whot I do wrong ? Thanks a lot.

  • RELEVANCY SCORE 2.83

    DB:2.83:Dreaded Must Be Configured To Use A Valid Ssl Cert - 2008 R2 ac


    Hello everybody,
    I've been browsing through hundreds of topics on the dreaded The RD Gateway server must be configured to use
    a valid SSL certificate error using BPA (Windows Server 2008 R2 Std), but still haven't found a proper solution.
    Here's the issue: RDGW not operating properly and sometime accepting connections, sometimes not.
    I have an external domain example.com and internally, the domain is example.local. I have one server serving Exchange and RD, this is the server responding to mail.example.com and I have an StartSSL issued cert for mail.example.com, which is properly configured
    on the server (OWA is working properly with autodiscover etc.). SSL bindings seem alright, default site is using the mail.example.com SSL cert.
    If I open the RDGW Manager and go to the SSL Certificate tab, the system looks happy by having the cert installed, everything looks fine. Sometimes I even manage to connect - connection is successful, I can normally connect to any of the servers or computers.
    On a second attempt, I just get the message, that the logon attempt had failed. If I run BPA on the server, I get the error of not having a proper SSL cert. If I select a self-signed cert, then also the BPA goes through, but then I have problems with connections
    since everybody would need this cert to have installed.
    From what I read, my problems are related to the issue that the FQDN of my server is servername.example.local and the cert is issued to mail.example.com. How can I make the thing only to talk via the mail.example.com cert? I don't think I can get a cert
    that'd also contain a SAN of servername.example.local from the CA.
    What can I do?

    DB:2.83:Dreaded Must Be Configured To Use A Valid Ssl Cert - 2008 R2 ac

    Hi Andrej,

    Thanks for posting in Windows Server Forum.

    Here providing you the article for BPA’s configuration logs, where you can check. It also states that certificate are main problem related to this error. Please check certificate which you have bound have FQDN name of gateway server, the certificate is SSL
    certificate and it’s a trusted certificate. Also check that certificate which you have importing to RD gateway must be in local computer/personal store. For more information refer below article.

    1.Using the Remote Desktop Services BPA to analyze a Remote Desktop Gateway
    implementation
    2. RDS: The RD Gateway server must be configured to use a valid SSL certificate

    In addition, you need to specify the FQDN name of RD gateway under
    DefaultTSgateway in IIS setting. Please go through below article for details.
    RD Gateway/Web Access Outside the Firewall

    Hope it helps!

    Thanks,
    Dharmesh

  • RELEVANCY SCORE 2.82

    DB:2.82:[Pki] Does Windows Server 2003/2008 Support Netscape Private Certificate Extensions? 33


    Does Windows Server 2003/2008 support Netscape private certificate extensions like:

    http://purple.the-7.net/~ab/comm4-cert-exts.html
    ?
    And how to check it?
    Regards
    nstn

    DB:2.82:[Pki] Does Windows Server 2003/2008 Support Netscape Private Certificate Extensions? 33

    For the most part, yes, you can get these certificate extensions supported by using various certutil options. Search microsoft.com for certutil AND Netscape for more information.
    Paul Adare
    CTO
    IdentIT Inc.
    ILM MVP

  • RELEVANCY SCORE 2.82

    DB:2.82:Windows Server 2008 R2 Certificate Services -Stand Alone- z1


    - User certificates are issued via the web enrollment form for Ipsecpurpose; users are unable to install the cert onan Iphone or Ipad since it is asking for a password. Can I add a password to the cert request or is there one already on the
    cert by default?

    DB:2.82:Windows Server 2008 R2 Certificate Services -Stand Alone- z1

    Hi,
    Take a look at the below article, search for Security policy for strong key protection
    It's because you have strong key protection on that certificate.

    http://blogs.technet.com/b/pki/archive/2009/06/17/what-is-a-strong-key-protection-in-windows.aspx

    BR
    René

  • RELEVANCY SCORE 2.82

    DB:2.82:Client Cert Question fm


    We are setting up SCCM and SCOM to monitor workgroup-based POS devices (Windows XP Pro, SP2 and SP3) over the internet using port 443.  We are using a certificate (issued by our own CA on Server 2008 enterprise) based on the Computer certificate template and this works great for it talking to the SCOM Management Server.
     
    The certificate has Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2)
     
    The question is:  Will this cert work OK for use as the computer cert for IBCM in SCCM?
     
    With these machines not being a member of the domain that SCCM and SCOM are in, we cannot use Autoenrollment policies to get the certs to them and will be forced to use a manual process (we're OK with that, for now).
     
    Any feedback is welcome - Thanks - BH

    DB:2.82:Client Cert Question fm

    The cert does work for both purposes

  • RELEVANCY SCORE 2.82

    DB:2.82:Enabling Ipsec On Lan Slows Data Transfer Speeds By 95% am


    Hello
    I am trying to enable IPSec on my LAN - but hitting some real performance barriers. I can typically get near 100 MB data transfer speeds between my file server and clients with IPSec disabled. When I assign an IPSec policy the speed drops to about 4 MB/sec.
    Ouch....
    We're encrypting all traffic - not traffic on specific ports - sohttp://support.microsoft.com/kb/2665206is not applicable. Just to be 100% sure I tried the work around and still no love. The
    server is Windows Server 2008 R2 and clients are Windows 7 x64. clients are HP 6200 business desktops with 8 gigs of ram, quad core processors.. Plenty of ump under the hood on both the server side and client side. Switch is a high end HP Procurve gigabit.
    (4208vl) I'm not seeing any jumbo packet errors in the switch log. So I don't think it is a MTU issue with the increased size of IPSec packets.

    Since enabling IPSec causes the slow down and disabling it removes the bottleneck I know it's related to IPSec. My IPSec policy is pretty straight forward. Request security - on the LAN, ICMP excluded, Kerberos authentication. Monitoring IPSec in a mmc console
    confirms packets are confidential
    Any suggestions out there are much appreciated.

    DB:2.82:Enabling Ipsec On Lan Slows Data Transfer Speeds By 95% am

    Narrowed it down a bit further to something with a specific encryption protocol.
    3DES = painfully slow

    DES = okay
    AES = fastest performance - but only available on Win7 Server 2008..

  • RELEVANCY SCORE 2.80

    DB:2.80:Cisco Ipsec Vpn Server 31



    Hello,

    I want to make a Cisco Ipsec VPN server on my windows 2008 R2 standard OS,

    I want to know is this possible to make windows OS as server for Cisco IPsec clients? if so can you please provide me any guide if available for the same.

    Regards,

    Jebran.

    DB:2.80:Cisco Ipsec Vpn Server 31


    Jebran

     

    I looked on my iPhone and I find that there is a generic IPSec client built in and that there is also the Cisco specific AnyConnect VPN client. If the iPhone or OSx device are implementing generic IPSec Remote Access VPN (and not the Cisco specific client) then I would assume that your implementation on your Windows server should work. If you are loading the Cisco specific VPN client then I believe that your Windows server would be problematic.

     

    HTH

     

    Rick

  • RELEVANCY SCORE 2.80

    DB:2.80:Setup Of Cert-Based Ipsec Vpn p9


    Hi Everyone,
    I am try to set up a cert-based ipsec vpn, using a windows 2008r2 server and windows xp sp3 client. i setup a enteprise root ca and configured the vpn by following these steps
    http://technet.microsoft.com/en-us/library/dd637815(WS.10).aspxand configured the client to connect using these steps
    http://support.microsoft.com/kb/314076,and when i attempt to connect, i am receiving error 786: ...There is no valid machine certificate...
    So from the certificate manager console, i attempted to request a new certificate but the certificate requestwizardis showing thebelow mentioned error:
    The wizard cannot be started because of one or more of the following conditions:
    -There are no trusted certification authorities (CAs)available.
    -You do not have the permissions to request certificates from the available CAs.
    -The available CAs issue certificates for which you do not have permissions.
    how do irequest for a machine certformy win xp client? is this necessary for a cert based ipsec connection?
    Thank You.

    DB:2.80:Setup Of Cert-Based Ipsec Vpn p9

    Hi Gavingtw,
    Thank you for your post.
    If you want to deploy L2TP/IPSec VPN or EAP-TLS VPN, your VPN clients need to join domain and deploy PKI auto enroll.
    If you want to deploy IKEv2 VPN or SSTP VPN, your VPN clients OS do not support. IKEv2 VPN (VPN reconnect) requires OS Windows 7 and SSTP VPN requires OS Vista SP1.
    I suggest you use IKEv2 VPN with Windows 7 Client. Hereare some VPN guides, hopethey are helpful to you.
    Step-by-Step VPN Guide in Windows 2003
    Configure L2TP/IPsec-based Remote Access in Windows 2008
    Do we still need PPTP L2TP/IPsec after Windows 7
    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan

  • RELEVANCY SCORE 2.79

    DB:2.79:What For Are Ipsec And Ipsec ( Request Offline ) Certificates In Ca Certificate Templates Node 3s


    hi friends
    i want to deploy ipsec between 2 win 2008 R2 domain joined servers and select certificate as authentication method.
    in enterprise CA certificates template node, we see 3 ipsec related certificate :
    computer cert - ipsec - ipsec ( offline request )
    i have heared that we should use computer certificate for this task. so what are those 2 other certificates ? ( ipsec and ipsec ( request offline )
    thanks

  • RELEVANCY SCORE 2.79

    DB:2.79:Updating Certificate z3


    Hello,
    We have a small business server 2008. Currently there is a sha1 certificate with one hostname mail.domain.com. We added a new email domain of mail.domain2.com to our email server. The currencertificate is a godaddy standard ssl cert.
    We would like to add a UCC sha256 cert to our server so both hostnames are covered and the sha2 requirements are met. Is this possible with small business server 2008(windows 2008 , exchange 2007) and what is the process for replacing the current
    certificate? Do we have to use the Small Business Server tools to do this?
    Thanks

    DB:2.79:Updating Certificate z3

    Hi Andy,
    To update the certificate, I don’t think that there is a special tool for SBS.
    Here are some references below for you:
    How to Assign an SSL Certificate to Services in Exchange Server 2013
    http://exchangeserverpro.com/exchange-2013-assign-ssl-certificate-to-services/
    Configure an SSL Certificate for Exchange Server 2010
    http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/
    For more information about Exchange, please refer to Exchange forums below:
    Exchange Server Forums
    https://social.technet.microsoft.com/Forums/exchange/en-US/home?category=exchangeserverforum=exchangesvrmobilitylegacyfilter=alltypessort=lastpostdesc
    Best Regards,
    Amy

  • RELEVANCY SCORE 2.78

    DB:2.78:Howto Debug Ipsec In W2k8 pd


    Hello,how to debug IPSec in Windows 2008 ?oakley.log not found.Thanks,L.

    DB:2.78:Howto Debug Ipsec In W2k8 pd

    hi , oakley logging is no longer supported in windows 2008 . please find the linkhttp://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/98d5725b-f285-4b20-894b-1b159488253c/

  • RELEVANCY SCORE 2.78

    DB:2.78:Windows Certification Stores - Decommissioning / Upgrade dj


    Hi All,
    I have two cert stores on my domain, one is on a Windows 2003 (Standard) Domain Controller one is a Windows 2003 (Enterprise) Server - Not a DC.
    I need to decommission the domain controller and wish to create another cert store on an existing Windows Server 2008 R2 Enterprise Domain Controller.
    Will creating a cert store on 2008 R2 invalidate / put at risk my existing certificates or will it just sit side-by-side?
    In addition, I have two sites, do I need a cert store for each site?
    Cheers

    K

    DB:2.78:Windows Certification Stores - Decommissioning / Upgrade dj

    May be any of the moderator will chime in who visit the threads time to time and move the thread to appropriate forum.

    Regards

  • RELEVANCY SCORE 2.78

    DB:2.78:L2tp/Ipsec Vpn Configuration On Server 2008 Without Any Psk Or Server Certificate f3


    Hi,
    I have configured L2TP/IPSEC with PSK it is working, now I wish to configure a VPN Server on Windows Server 2008 without any PSK or certificate for client.
    We wish to give only IP Address of our VPN Server to Client so that Client can connect it by default settings.
    **L2TP/IPSEC with optional encryption.
    Please help to configure it,
    Regards
    Kapil

    DB:2.78:L2tp/Ipsec Vpn Configuration On Server 2008 Without Any Psk Or Server Certificate f3

    Hi,
    Thanks for prompt response, I have tried to configure User-level authentication using a PPP authentication for L2TP tunnel but vpn is unable to connect.
    Can you please share step by step installation of this.
    Please help to configure this..
    Regards
    Kapil

  • RELEVANCY SCORE 2.77

    DB:2.77:Nap Ca With Windows 2003 k9


    Hi,
    I was just wondering if using a Windows 2003 server as a NAP CA server (subordinate CA) is supported when using IPSec Enforcementwith a Windows 2008 R2 based HPS server (e.g. for DirectAccess)?
    Best regards
    Thomas

    DB:2.77:Nap Ca With Windows 2003 k9

    Yes. that is supported.
    You can even use a windows 2000 Server.
    For more detials, please refer to
    http://technet.microsoft.com/en-us/library/dd125301(WS.10).aspx, in the Server software requirements section.
    Regards
    QunshuClarification: Microsoft doesn't own any liability & responsibility for any of my posting.

  • RELEVANCY SCORE 2.77

    DB:2.77:Windows Azure Connect Diagnostic Errors (No Connectivity Policy, No Ipsec Cert) 3a


    Hi there,
    I'm trying to set up Azure Connect from my local machine to my Azure account to allow me to do some worker-role based load testing.
    However, there seems to be some issues with the Azure Connect connection. When I run the diagnostic check I get two errors:
    Policy Check: There is no connectivity policy on this machine.
    IPsec certificate check: No IPsec certificate was found. Please ensure that this machine is configured for connectivity.

    I looked at the MSDN documentation on this, and it didn't seem so helpful. (http://msdn.microsoft.com/en-us/library/windowsazure/gg433016.aspx)
    The solution offered was Verify that your computer has an active internet connection.
    Well, my computer definitely has an active internet connection, can anyone suggest how I might go about fixing this?

    DB:2.77:Windows Azure Connect Diagnostic Errors (No Connectivity Policy, No Ipsec Cert) 3a

    Hi all,
    I had the same symptoms and solved by inserting the mentioned endpoint into a proper group within the Azure Management Portal (Move into group), which I simply not did forget before! :-)

  • RELEVANCY SCORE 2.75

    DB:2.75:Ipsec Issues With 2003 Server On 2008 Domain With Xpsp3 Client Machines cc


    Hello. I previously had a 2003 R2 domain with all xpsp3 computers for end users. I had IPSec configured in Group Policy to require security (secure server) for all machines and it worked perfectly. Since I read that IPSec and the windows firewall were integrated in 2008, I removed the IPSec policy on the domain controller before upgrading. I also turned off IPSec on all 2003 servers and all xp client machines before the upgrade knowing I would re-institute it after the upgrade was complete and everything was working. Got the PDC upgraded to 2008 and raised the domain functional level to same. I then went back and enabled the IPSec policies for my file server Server (request security) and for my clients (respond only) and ran into trouble. I did not enable IPSec on the 2008 PDC. I soon discovered that some of my end users were able to connect to the file server sometimes and sometimes they could not. In troubleshooting this issue, I found that IPSec was the cause of the problem, and it was quite intermittent. For example, on my machine, if I ran a net view \\fileserver, sometimes it would display the shared drives, and sometimes I would get a network resource not found error. If I pinged it 5 different times back to back, the ping would only be successful 2 out of 5 times, the other times I would get an unreachable, or negotiating IPSec, and it would time out. I could not detect any pattern as to when it would work and when it wouldnt. I have a couple questions: 1. I thought that once a IKE happened, the communication between host and server would take place using those keys until they timed out (like 360 minutes) and new keys were negotiated. Based on what I saw, it seemed like it was negotiating SAs for each session and sometimes it worked and sometimes it did not. Why did it not continue to use the same IKE? 2. Since I dont have any IPSec policies on the 2008 domain controller, I figured it would not come into the equation when xp client machines negotiated SAs and IKE with 2003 servers - was I wrong in making this assumption? Does the introduction of the 2008 PDC affect how all machines institute IPSec? Thanks for any help.

    DB:2.75:Ipsec Issues With 2003 Server On 2008 Domain With Xpsp3 Client Machines cc

    Hello. I previously had a 2003 R2 domain with all xpsp3 computers for end users. I had IPSec configured in Group Policy to require security (secure server) for all machines and it worked perfectly. Since I read that IPSec and the windows firewall were integrated in 2008, I removed the IPSec policy on the domain controller before upgrading. I also turned off IPSec on all 2003 servers and all xp client machines before the upgrade knowing I would re-institute it after the upgrade was complete and everything was working. Got the PDC upgraded to 2008 and raised the domain functional level to same. I then went back and enabled the IPSec policies for my file server Server (request security) and for my clients (respond only) and ran into trouble. I did not enable IPSec on the 2008 PDC. I soon discovered that some of my end users were able to connect to the file server sometimes and sometimes they could not. In troubleshooting this issue, I found that IPSec was the cause of the problem, and it was quite intermittent. For example, on my machine, if I ran a net view \\fileserver, sometimes it would display the shared drives, and sometimes I would get a network resource not found error. If I pinged it 5 different times back to back, the ping would only be successful 2 out of 5 times, the other times I would get an unreachable, or negotiating IPSec, and it would time out. I could not detect any pattern as to when it would work and when it wouldnt. I have a couple questions: 1. I thought that once a IKE happened, the communication between host and server would take place using those keys until they timed out (like 360 minutes) and new keys were negotiated. Based on what I saw, it seemed like it was negotiating SAs for each session and sometimes it worked and sometimes it did not. Why did it not continue to use the same IKE? 2. Since I dont have any IPSec policies on the 2008 domain controller, I figured it would not come into the equation when xp client machines negotiated SAs and IKE with 2003 servers - was I wrong in making this assumption? Does the introduction of the 2008 PDC affect how all machines institute IPSec? Thanks for any help.

  • RELEVANCY SCORE 2.75

    DB:2.75:Can I Copy A 3rd Party Certificate From One Cas Server To Another? 3x


    I have a server running as both HUB and CAS. I am moving the CAS role to a separate server. Can I copy the 3rd party exchange certificate(the cert is from Entrust Certification Authority)from one server to another? If so, is the this the correct
    procedure:
    1. export cert from server A
    2. import cert into server B
    3. remove cert from server A
    I am running Exchange 2007 SP2 rollup 4. Also Server A is windows 2003 sp2 standardand server B is windows 2008 ru2 enterprise.
    thank you

    DB:2.75:Can I Copy A 3rd Party Certificate From One Cas Server To Another? 3x

    Hi,
    Regarding how to export and import certificate, you can refer to the following article:

    http://www.digicert.com/ssl-support/pfx-import-export-exchange-2007.htm

    If you would like use one certificate, the subject alter name of the certificate should includes all FQDN of these servers.

    A related article for your reference:Load Balancing Exchange 2007 Client Access Servers using Windows Network Load-Balancing Technology – Part 3:
    Creating Certificates and Testing Client Services
    http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.html

    Hope this helps. Thanks,

  • RELEVANCY SCORE 2.74

    DB:2.74:Certificate Template On 2008 Standard Dc fp


    Hi All,
    I'm having a problem with Certificate Templates. I figured out that it's because I'm using Server 2008 Standard so I can't duplicate an existing template as it will create a v2 cert template which won't work on a standard server. I'm trying to
    figure out how to use an existing template perhaps...or I'm open to other ideas.
    Basically I'm trying to implement NAP. I'm following this article:
    http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part1.html
    and a few other MS articles. It wants me to duplicate the Workstation Authentication template because it already has Client Authentication. Then it has me add System Health Authentication.
    I tried adding these extensions to existing templates (IPSec) but it's all grayed out.
    Any help or suggestions would be appreciated! Thanks.

    DB:2.74:Certificate Template On 2008 Standard Dc fp

    Thanks Joson...for some reason I haven't been able to find that documentation. I'll take a better look at those two articles. If you have any others pertaining to isolation using Kerberos, I'd love to see them.

    Thanks!

  • RELEVANCY SCORE 2.73

    DB:2.73:Ipsec Policy af


    Hi:
    i have a single server (Server 2008) that i need my clients (Windows 7)to be forced to talk to using IPSEC.

    Can i configure the IPSEC policies on Windows 7 machines to ONLY initiate and negotiateIPSEC when contacting this server ?ammarhasayen

    DB:2.73:Ipsec Policy af

    Please consider the server isolation scenario described in the Windows Firewall with Advanced Security Design and Deployment Guidehttp://www.microsoft.com/download/en/details.aspx?displaylang=enid=17077.
    /Hasain

  • RELEVANCY SCORE 2.73

    DB:2.73:Certificate Dispursment And Authentication For Mobile Devices Using Nps, Ndes, And Eap-Tls Through Mdm Mechanism. 9k


    SO I am reading through some of these other help Items for EAP-TLS help and just wanted to get some input on my situation.
    I am having the hardest time trying to get any validation to work at all with my NPS setup. I tried looking a at the minimal requirements for EAP-TLS for server and client but I just am not familiar enough with the whole process to understand where I am missing
    something.
    I have created a 2008 r2 enterprise CA that is also the NPS and NDES server. I will split those parts out later but right now just want to keep them together.
    I have made the CA an issuing from the root-ca which is an 2003 enterprise server. I have installed the web enrollment part as well.
    I set the NPS settings to the simplest I can, conditions based on an AD group which I am apart of. I created a cert that was IPSEC offline cert trying to to follow the criteria given to me by our MDM for NDES deployment. It has client authentication in it.
    Set to signing and encryption and the subject name is set to supplied in request.
    What I want to be able to do is have NDES communicate with the MDM that has a scep application that can login to the scep admin website, get a cert for a device that has authenticated into the MDM using AD creds, and allow it to connect to hte wireless that
    is hosted on Meracki AP's pointed at my 2008 r2 nps.
    Any how tos, input, 2 cents, this is how you do it's from any one is much appreciated. I have had MS on the phone but they just prove to me that the cert can be used from my computer and that is the least of my concerns right now.
    Thanks in advance.

    DB:2.73:Certificate Dispursment And Authentication For Mobile Devices Using Nps, Ndes, And Eap-Tls Through Mdm Mechanism. 9k

    The following steps described the overallprocedureto get this working:
    1. Create a user account for each device you want to enroll in AD
    2. Create a suitable certifiacte template to be used with SCEP/NDES, make sure it is published in your CA and configured on NDES
    3. Make sure the CA certificate is trusted on the device to revieve the client certificate via SCEP/NDES
    4. Deploy/Issue the client certifiacet to your device using the user account/creds created in step 1
    The following blog post
    http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspxon the Windows PKI blog describes the above steps in moredetails including some troubleshooting steps.
    /Hasain

  • RELEVANCY SCORE 2.72

    DB:2.72:Ipsec Einrichtung m8


    Hallo Leute,
    es geht um folgendes ich habe NCP Secure Entry Client jedoch keine Firewall die IPsec fhig ist jetzt mchte ich die IPsec konfiguration gerne ber die Windows Firewall am Windows 2008 Server machen jedoch hab ich 0 Ahnung wo und wie ich Anfangen
    muss hat jemand evtl eine gute Anleitung?
    Danke!
    mfg
    Metzi

    DB:2.72:Ipsec Einrichtung m8

    Hallo,
    die NCP Clients sind auf Windows XP Laptops installiert die von extern auf ber Ihr Iphone ins Internet kommen und sich dann ber VPN verbinden wollen. Ich dachte man kann das ber die Firewall Option am Server freischalten, oder ist das nicht
    so einfach mglich? Bis vor kurzem wurde das alles noch ber die D-Link Firewall gemacht jedoch ist uns die eingegangen und jetzt haben wir eine die nicht IPsec fhig ist.

    lg
    metzi

  • RELEVANCY SCORE 2.72

    DB:2.72:Cisco Asa Vpn With Radius sc



    Is it possible to setup the Cisco ASA VPN using IPSec cert based authentication and at the same time using extended authentication (XAUTH) with a RADIUS server for user auth? Thanks.

    DB:2.72:Cisco Asa Vpn With Radius sc


    Thanks alot for the prompt response!

  • RELEVANCY SCORE 2.72

    DB:2.72:Ipsec Server And Workstation Communication c8


    Hi,

    I'm trying to implement IPsec between 2 servers (2008R2) and some workstations (Win7). There is a physical firewall between the servers and the workstations, and my understand (very basic) is that if I open the IPsec ports on the firewall (50, 51, 500, 88;
    KB233256), all communication between the server and workstations will be encapsulated in IPsec, and therefore do not need to open the application specific ports.
    Administrators will run some tasks from the server, crossing the firewall, and targeting the workstations, which needs to be encrypted... This is why we want to use IPsec. Communication will not be initiated from the workstation to the server... Only form
    the server to the workstation.
    Up to now, I have assigned the default IPsec policies that come with Windows 2008 R2 (AD).
    - Server has Server (Request Security)
    - Workstation has Client (Respond Only)

    On a server and workstation, I run MMC and add the IPSec Monitor snap-in. I can see that the IPsec policy from the GPO is applied (overriding local). IPSec service is running.
    My problem is that communication from the server to the client is happening over the regular ports, not over IPsec ports.
    I added a test workstation on the same zone as the server (no firewall in between) and the same happens.
    Any suggestion on how to get communication to happen over IPSec? I assume that it is not happening, because I only see the regular ports and it is not crossing the firewall. We opened all ports on the firewall, for a test, and communication happened over
    regular ports, not IPSec ports.
    I use netstat and wireshark on the workstation to see open ports.
    I don't see any IPsec information in the Event Viewer.

    DB:2.72:Ipsec Server And Workstation Communication c8

    I gave up on IPsec. I'm using a different method. Even after getting it to work with Server Request on both ends, it still behaved strange (random startup delay).
    I did plenty of research, including reading the obvious technet information. My question was specific, and general info from technet wasn't going to help.

    thanks

  • RELEVANCY SCORE 2.71

    DB:2.71:Change Computer Name For L2tp/Ipsec 3c


    Hello,

    I try to connect to our Windows Server 2008 based Network in the institute. The VPN is L2TP/IPSec based and uses machine certificates (+credentials) for authentification.

    The sole problem I have is that I cannot find a way to change the hostname of my mac from e.g. iMac.local to iMac.institute.org. This is needed as the VPN Server tries to match the name my mac tells when connecting to the name in the machine certificate.

    A lot of googling didn't help, any suggestions where to start?

    Cheers
    M

    DB:2.71:Change Computer Name For L2tp/Ipsec 3c

    Thanks for your reply. The problem is that I'm trying to access the intitutes lan via VPN from my iMac at home. And I have no IT department at home By now, I managed to set my hostname using scutil. But now i have another problem: The IPSec configuration dialog does not allow me to choose a machine certificate. The button just does not work... But I'll post this in an appropriately named new Thread.

  • RELEVANCY SCORE 2.71

    DB:2.71:Asa Router Certificate Based Vpns (Ndes) ad



    In the near future, Im going to be deploying some ASA5515-X firewalls and some 887VA Routers, that will require Site to Site VPNs.

    We have been asked to use certificate based authentication for the VPNS (rather than a shared-secret).

    I'm planning to deploy the certificates to the ASA's and Routers via NDES (Server 2012) I've worked out how to deploy the 'IPSEC (offlline request) certificates to both ASA and Router IOS's - Thats fine.

    Question 1: Will the devices automatically renew their certificates via NDES, I ask because any documentation I can find says, 'will renew when it expires'. If I'm using the cert for VPN auth it needs to renew before it expires - as the NDES server is at the other end of the VPN tunnel? If it waits till its expires, wont the tunnel go down and then block acces to the Windows Server running NDES?

    Question 2: Is the IPsec(Offline Request) certificate sufficient (or should I say the correct one) for securing site to site IPSEC VPN's?

    Question 3: I'm assuming once the devices have the correct certs, All I need to do is set 'authentication rsa-sig' rather than 'authentication pre-share'. Is that correct? Or do both devices need to be able to 'resolve' the ip address of the remote device to the name it presents on its cert?

    Question 4: Anything else I'm forgetting?

     

    Regards,

     

    Pete

    DB:2.71:Asa Router Certificate Based Vpns (Ndes) ad


    In the near future, Im going to be deploying some ASA5515-X firewalls and some 887VA Routers, that will require Site to Site VPNs.

    We have been asked to use certificate based authentication for the VPNS (rather than a shared-secret).

    I'm planning to deploy the certificates to the ASA's and Routers via NDES (Server 2012) I've worked out how to deploy the 'IPSEC (offlline request) certificates to both ASA and Router IOS's - Thats fine.

    Question 1: Will the devices automatically renew their certificates via NDES, I ask because any documentation I can find says, 'will renew when it expires'. If I'm using the cert for VPN auth it needs to renew before it expires - as the NDES server is at the other end of the VPN tunnel? If it waits till its expires, wont the tunnel go down and then block acces to the Windows Server running NDES?

    Question 2: Is the IPsec(Offline Request) certificate sufficient (or should I say the correct one) for securing site to site IPSEC VPN's?

    Question 3: I'm assuming once the devices have the correct certs, All I need to do is set 'authentication rsa-sig' rather than 'authentication pre-share'. Is that correct? Or do both devices need to be able to 'resolve' the ip address of the remote device to the name it presents on its cert?

    Question 4: Anything else I'm forgetting?

     

    Regards,

     

    Pete

  • RELEVANCY SCORE 2.71

    DB:2.71:Can I Use My Chainedssl Cert? j8





    I bought the chainedssl cert from www.freessl.com to use so I dont have a cert warning when using my mac. The domain is IP based, so thats not the issue. I chose Apache+MODssl as my server type, but i cant get the cert to load. Is there a trick to getting a chained cert to work? thanks...

    DB:2.71:Can I Use My Chainedssl Cert? j8




    Glad it worked for you.

    I always create the file locally and upload, and Ive never had a problem. The fact that you did suggests something in the formatting of the file that you perhaps couldnt see, or something in the way your browser was uploading the files - they must be dealt with as ASCII - not treated as binary files for them to work.

  • RELEVANCY SCORE 2.71

    DB:2.71:Arrconfig To Reroute Owa Requests Wont Complete aa


    Hello,
    I have been migrating SBS 2008 to Windows Essentials 2012 with on prem Exchange 2013. I think I have everything working with the exception of OWA and ActiveSync.
    I am trying to run the following ARRConfig but it keeps complaining about the syntax. Could someone help me?
    ARRConfig config -cert D:\Downloads\mail.pfx -hostnames mail.domain.com,autodiscover.domain.com
    C:\Program Files\Windows Server\BinARRConfig config -cert D:\Downloads\mail.pfx
    -hostnames mail.domain.com,autodiscover.domain.com
    ARRConfig config -cert certficate -hostnames name1[,name2,...nameN] [-target
    server server name]
    ARRConfig unconfig
    Example:
    ARRConfig config -cert c:\tmp\certificate.pfx -hostnames www.contoso.com,mail
    .contoso.com
    ARRConfig config -cert c:\tmp\certificate.pfx -hostnames www.contoso.com,mail
    .contoso.com -targetserver MyExchangeServer

    DB:2.71:Arrconfig To Reroute Owa Requests Wont Complete aa

    Hi,

    I’m glad to hear that you have resolved the issue and thanks for sharing your solution in the forum. This will help others who face the same scenario resolve the issue quickly. If there is
    anything else I can do for you, please do not hesitate to let me know. I will be very happy to help.

    Best Regards,

    Andy QiAndy Qi
    TechNet Community Support

  • RELEVANCY SCORE 2.70

    DB:2.70:Small Busineaa Server 2008 70-653 jx


    Hi,
    Im am thinking of taking this exam but for the microsoft site im unsure if it is a cert or just a credit towards a cert?
    It states on the site;
    Exam 70-653: TS: Windows Small Business Server 2008, Configuring: counts as credit toward the following certification(s):
    70-653: TS: Windows Small Business Server 2008, Configuration

    is it not the same?

    MAny Thanks in advance

    DB:2.70:Small Busineaa Server 2008 70-653 jx

    Thank you Konrad for your reply, That makes it clearer for me..

  • RELEVANCY SCORE 2.70

    DB:2.70:Windows 7 Computer Certificate And Windows 2008 Ca No Templates Available 13


    Hi, I am trying to install a computer certificate to use with an IPSEC VPN on my Windows 7 laptop.

    I have an Enterprise CA installed on a Windows 2008 server. The laptop is not part of the domain, so I VPN in and open up the computer cert mmc on my laptop.

    I VPN in then open the web page to the certsrv. I do a cert request but in the drop down box there is no computer certificate.
    I then tried a custom request from the Personal store an again there are no templates from which to chose a comp cert from. I only have No template (CNG) or No template (Legacy)
    What am i missing here? I have been trying to install a comp cert all week but can't.

    Any help would be appreciated

    DB:2.70:Windows 7 Computer Certificate And Windows 2008 Ca No Templates Available 13

    Hi NeilBarker,

    Regarding the Windows 2008 CA issue, I suggest you create a new thread in Windows Server 2008 forum. To do this, you will get an accurate and
    efficient
    response. Please understand that we only discuss Windows 7 network issues in this forum.
    Thus, we are not the best resource for this issue. Thank you for your understanding.

    For your reference, I have enclosed the Windows Server 2008 forum below:

    http://social.technet.microsoft.com/Forums/en/category/windowsserver

    Regards,
    Novak

  • RELEVANCY SCORE 2.70

    DB:2.70:Sql 2008 And Ssl x8


    I want to secure the entire data path between our (internal) sql 2008 server and our internal apps (data in motion) . I presume I will need an SSL Cert on the SQL Server to enforce SSL-type connections.
    Question: does SSL apply only to broswer-based clients or can Win32 apps use SSL?
    TIA,
    barkingdogP.S. If this is the wrong forum for this question......sorry.

    DB:2.70:Sql 2008 And Ssl x8

       For question regarding support for any specific client, I would recommend the SQL Server data Access forum.
      Generally speaking, for SQL Server SSL support the following link should be a good resource: Encrypting Connection to SQL Server (http://msdn.microsoft.com/en-us/library/ms189067.aspx).   -Raul Garcia   SDE/T   SQL Server EngineThis posting is provided AS IS with no warranties, and confers no rights.

  • RELEVANCY SCORE 2.70

    DB:2.70:Mcsa Server 2008 Upgrade From 70-649 f3


    Hello There,
    I am interested to achieve MCSE: Private close certification. (http://www.microsoft.com/learning/en/us/certification/cert-private-cloud.aspx)
    For that I need to achieve MCSA with Server 2008 with exam 640,642 646. (http://www.microsoft.com/learning/en/us/certification/cert-windows-server-2008-MCSA.aspx)
    I passed exam 070-649 which was upgrade from MCSE on windows server 2003 to Windows Server 2008.

    Do I need to pass these exams, provided that I have already done 649 exam, what is the best path for me to achieve MCSA Server 2008?
    On one forum, someone suggested that since I have done 649 exam, I need to do 70-646 that to achieve MCSA : Windows Server 2008.
    Regards
    Avi

    DB:2.70:Mcsa Server 2008 Upgrade From 70-649 f3

    Hi,

    pls refer to http://www.microsoft.com/learning/en/us/certification/cert-windows-server-2008-MCSA.aspx AND

    http://www.microsoft.com/learning/en/us/certification/cert-private-cloud.aspx

  • RELEVANCY SCORE 2.69

    DB:2.69:Problems Generating A Cert For Acs 4.1 Using Ms 2008 R2 Cert Svcs z7



    I am having difficulty installing a certicate on ACS that was generated using Microsoft Certificate services under Server 2008 R2.  The problem I'm having is finding documentation that addresses using ACS 4.1 and Microsoft Cert Svcs 2008 R2.  There is plenty of documentation using Server 2003 Cert Svcs but not 2008.

    I follow the instructions for 2003 and there are differences in the interfaces.  I think I'm picking the right options but after the cert is installed and the CA is added, I still can't turn on SSL because it says there are no certs installed.  I installed the self signed cert and that worked.  Cant figure out what I'm doing wrong.  Can anyone provide instructions for generating the cert using Server 2008 R2 certificate services?

    DB:2.69:Problems Generating A Cert For Acs 4.1 Using Ms 2008 R2 Cert Svcs z7


    Thanks Nate.

    Here's what I tried:

    After receiving your response I tried again and it worked.  I had to create a template on the sert server and use it when generating the cert.  I couldnt find "Server Authentication" in the "Enhanced Key Usage" field.  It only gave the option of exchange or encrypt or both exchange and encrypt.  I left it at the default.

    The only thing I did different was the template I used.  The cert template "Web Server" didnt work.  I copied it as a server 2003 template and that was the trick.  Previously I created a server 2008 template that did not work.

    For anyone reading this the closest instructions I could find are at:

    https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#backinfo

    They dont mention that you need a server 2003 template in the instructions on how to create a template tho...

  • RELEVANCY SCORE 2.69

    DB:2.69:L2tp Connection Failed m1


    Hi All,
    I am trying to establish a cert based IPSec VPN connection between a Windows Server 2008 and Windows XP client.
    When I am connecting it is showing Error 786: The L2TP connection attempt failed because there is no valid machine certificate on your computer for security authentication.
    In my server I have already deployed the Computer certificate template. Over in my client I have already requested the computer certificate and have installed it in my XP client (Through Web enrollment).
    But it is still showing the above mentioned error. Any idea how can I rectify this?
    Thanks In Advance,
    Perumal

    DB:2.69:L2tp Connection Failed m1

    When using L2TP/IPSec twoauthenticationswilloccur, the IPSec connection is authenticated using computer certificates, if not optionally configured to use MD5/Shared Key authentication. The second authentication is the L2TP user auth, this
    can be any of PAP, CHAP, MSCHAP, MSCHAPv2 orany EAP-based authentication method.
    If you want to user L2TP/IPSec with user certificate you need both a computer certificate installed in the computer personal store and auser certificate installed in the user personal store as described byRick
    Tan. Because IPSec does notperform certificate mapping it is possible to use the same certificate for both computer and user authentication.
    If you want to configure L2TP/IPSec only using password authentication then you only need the computer certificate as the user will provide username and password.
    /Hasain

  • RELEVANCY SCORE 2.69

    DB:2.69:Problem Ipsec / Ssl Vpn (Webvpn) Asa5550 And Microsoft Ca zz



    Hi,

    We want to connect by Cisco VPN Client to ASA5550 (IOS 8.0(4)) over VPN witch certificates generated by Microsoft CA (Server 2008 Enterprise).

    ASA has own certificate generated by MS CA and client cert are also generated by MS CA.

    (link:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml )

    What is wrong ??

    Log from Cisco VPN Client:

    Cisco Systems VPN Client Version 5.0.02.0090

    Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

    Client Type(s): Windows, WinNT

    Running on: 6.0.6001 Service Pack 1

    23 11:49:58.219 05/25/09 Sev=Warning/3 IKE/0xE3000081

    Invalid remote certificate id: ID_IPV4_ADDR: ID = 0x3DD827C3, Certificate = 0x00000000

    24 11:49:58.219 05/25/09 Sev=Warning/3 IKE/0xE3000059

    The peer's certificate doesn't match Phase 1 ID

    25 11:49:58.219 05/25/09 Sev=Warning/2 IKE/0xE30000A7

    Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2238)

    Have You any solution?

    The same config on the PIX 515E and the same VPN Client works!!

    Additional log from ASA in attachment.

    Mateusz

    DB:2.69:Problem Ipsec / Ssl Vpn (Webvpn) Asa5550 And Microsoft Ca zz


    Config is rather OK.

    We have the same problem as in:

    http://ccie.pl/printview.php?t=2803start=0sid=1fbac76293e66db08011359c7c055f06

  • RELEVANCY SCORE 2.68

    DB:2.68:L2tpipsec Connect Issue 88


    I have an Windows Server 2008 R2 with latest update installed and running L2TP/IPsec and PPTP service. The reason we still needs PPTP service is all of our Windows 7 and 8 system cannot connect to Windows Server 2008 R2 using L2TP/IPsec, it returned as...

    Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, routers, etc.) between your computer
    and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

    However, when we use our Android 4.1 smartphone, and Apple MacBook Pro with Mountain Lion 10.8.2 to connect to Windows Server 2008 R2 using L2TP/IPsec, it all worked, but NOT the Windows-based laptops.

    Step we took tried to resolve the problem:

    1) Disable firewalls on BOTH Server AND the Windows systems that tries to connect to it.
    2) Make sure and open all ports associated to L2TP/IPsec between BOTH server AND system.

    We also suspect some additional settings on the Windows system (not the server) needs to be done, because logically, if Android, Apple MacBook Pro OS X 10.8.2 Mountain Lion, even a Mac can connect to Windows Server 2008 R2's L2TP/IPSec VPN service then we
    know the server side configure it correctly.

    L2TP/IPsec is using Preshared Key.

    DB:2.68:L2tpipsec Connect Issue 88

    This link might be helpful for you. Though it lists Windows vista and server 2008 but I am sure the problem with windows 8 might be the same as was with them. You can have a look at it:

  • RELEVANCY SCORE 2.68

    DB:2.68:Possible To Access Dc In Remote Site Via Ipsec Vpn? cd



    Hello,

    Is it possible to access DC [ Windows 2008 ] in another site via IPSec VPN?

    Limitations are:-
    Can not add any additional DC in new site.
    Can not create child domain.
    Can add DNS server.
    Pls suggest.

    DB:2.68:Possible To Access Dc In Remote Site Via Ipsec Vpn? cd

    See below linkshow Domain Controllersare located

    Domain Controller Locator : an overview
    http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx
    http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx
    How is your DNS configured is it AD integrated?I would recommand to configure site C DNS server with AD role and configure the sites and services accordingly.
    Refer below link for Active Directory Sites and Services
    http://technet.microsoft.com/en-us/library/cc730868.aspx
    http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtml
    If DNS is not AD integrated then I would recommend to configure the same as AD integrated there are benifits of the same.http://technet.microsoft.com/en-us/library/cc737383(v=ws.10).aspx

    How To Convert DNS Primary Server to Active Directory Integrated
    http://support.microsoft.com/kb/816101
    Also if one of the sites SC goes down and there is no network connectivity issue to other site then the DC in the other site will be used.You need to properly configure the dns setting on dns and clients as below and map the client subnet to appropiate AD
    sites.
    Best practices for DNS client settings on DC and domain members.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
    Also the required port should be open for AD communication
    Active Directory Firewall Ports - Let's Try To Make This Simple
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    There's some info on FSMOs and what would happen if any specific FSMO is down for any length of time, permanently or termporarily.
    Active Directory FSMO Roles Explained and What Happens When They Fail and Why you may not be able to keep a DC up once roles were seized.
    http://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspx
    Hope this helpsBest Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
    My Blog

    Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights.

  • RELEVANCY SCORE 2.68

    DB:2.68:Ipsec In Ipv6 Protocol Support 9m


    Hi,
    I am currently working for my bachelor thesis at a lab project with IPv6. Inside my thesis I want to find out if todays IPv4 and IPSec on top implementations could be replaced with IPv6 and it's integrated features.
    As I was reading about IPv6, IPv6 is offering IPSec Security features based on rfc inside the IPv6 protocol.
    When I was searching the web I can't find detailed information about if Windows 7 and Windows Server 2008 R2 are already supporting IPv6 and IPSec protocol functionalities and how I can use it.
    How are those OS using IPv6 and IPSec protocol implementations and where can I find detailed information about it?
    Any help would be appreciated!
    Thanks in advance and greetings from germany,
    Andr

    DB:2.68:Ipsec In Ipv6 Protocol Support 9m

    IPv6 is just a protocol, a method of communication. All IPv6 is set a standard for how bits are to be moved from one place to another. IPv6 in and of itself doesn't do anything. The implementation of what is described in the standard is up to the OS. Having
    said that, IPSec in IPv4 is a method of encapsulation whereas with IPv6, it is taken into account by the protocol defintion and thus no encapsulatio is necessary.
    There are multiple ways to take advantage of IPSec (with or without IPv6) in Windows -- these are detailed in the third link above -- but I think that GPOs and the Advanved Firewall are the easiest way to configure it.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

  • RELEVANCY SCORE 2.68

    DB:2.68:Do All Versions Of Windows Server 2008 R2 Support The Tablet Pc? kp


    Windows Web Server 2008 R2
    Windows Storage Server 2008 R2
    Windows Server 2008 R2 Standard Edition
    Windows Server 2008 R2 Enterprise Edition
    Windows Server 2008 R2 Datacenter Edition
    Windows Server 2008 R2 for Itanium-based Systems
    Windows HPC Server 2008 R2 for high Performance supercomputers
    Windows Server 2008 R2 Foundation

    DB:2.68:Do All Versions Of Windows Server 2008 R2 Support The Tablet Pc? kp

    Hello,

    According to the thread below, you can install Windows Server 2008 on a tablet PC but seems some of features or services are not supported.
    Can windows Server 2008 support tablet PC ???
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/5d17d09d-1d14-4bf7-8468-19b15c9cb66a

    Thanks
    ZHANG

  • RELEVANCY SCORE 2.67

    DB:2.67:Difference In Httpwebrequest X509 Handling Between Win7/Windows Server 2008 md


    Hi, I have a peice of C# code that calls Azure Management APIS with a file based cert (.CER file).
    Code runs fine under .NET 4.0 and Windows 7 and fails with a 403 under .NET 4.0 on Windows Server 2008 SP2
    As I'm not getting the cert from a store I dont believe it's store related, but i've tried running as administrator (right click,run as) on the server - despite being logged in AS an admin. No change.
    Have also tried both debug and release but am stuck in a 'works on my machine' loop..
    Thoughts?
    code is below:

    String

    URL = endUrl;

    HttpWebRequest
    request = (HttpWebRequest)WebRequest.Create(URL);

    request.Proxy =

    null;

    request.Headers.Add(

    x-ms-version,
    2009-10-01);

    X509Certificate
    Cert = X509Certificate.CreateFromCertFile(C:\\code\\test.cer);

    // forget bad SSL certs..

    ServicePointManager.ServerCertificateValidationCallback
    = delegate
    { return
    true;
    };
    request.ClientCertificates.Add(Cert);

    request.Method =

    GET;

    HttpWebResponse
    response = null;

    try

    {

    // Get the response.

    response = (

    HttpWebResponse)request.GetResponse();

    }

    catch
    (Exception
    ex)
    {

    throw
    (ex);
    }

    Thanks,
    Ian

    DB:2.67:Difference In Httpwebrequest X509 Handling Between Win7/Windows Server 2008 md

    It is possible that your Windows7 machine had the cert in the store, whereas the Windows2008-R2 machine does not?
    I dont think it is possible to do HTTPS without the cert being in the store.feroze
    --
    My blog (including System.Net topics

    Subscribe
    in a reader
    Instruction on how to create a tracelog with your System.Net application

    System.Net Links and HOWTOs

  • RELEVANCY SCORE 2.67

    DB:2.67:Zone Based Firewall / Ipsec Vpn 9d


    Hello,

    DB:2.67:Zone Based Firewall / Ipsec Vpn 9d


    after applying the virtual template to ouside security zone all start working

    thanks!

  • RELEVANCY SCORE 2.67

    DB:2.67:Cant Find Federationmetadata.Xml m1


    Using ADFS 2.0 on windows server 2008 / CRM 2013
    I can get to the XML file if I go to the URL https://adfs.myexample.Com//federationmetadata/2007-06/federationmetadata.xml
    But when entering the details above into the claims based configuration wizard I get told that its unable to find the metadata.xml
    ADFS and CRM are installed on the same Server.
    Adfs has the default website on port 443 binding https://adfs.myexample.com with wildcard cert
    CRM has the MS dynamics website on portXXX(not same as default) binding Https://externalcrm.myexample.com with wildcard cert
    internal CRM 5555

    I can get to https://externalcrm.myexample.com internally and get a windows login prompt rather than a CRM type login.
    I can also reach the webserver ona mobile deviceexternally and get a windows style login promptrather than a CRM login page.
    I read just about every blog and white paper and videobut they lack troubleshooting tips.

  • RELEVANCY SCORE 2.67

    DB:2.67:Tmg: Ipsec + Ipad 19


    I have problem with connecting to my ipsec vpn on microsoft TMG.
    When i try connect (on ipsec with certificate) from windows xp and win7 to this vpn I dont have any problems.

    On My ipad I can only connect on L2tp with preshared key, but on ipsec with certificate still nothing.

    I try connecting on two certificates: on the same whot I have on pc, and on new only to ipad. On iphone configuration tool i install all certificates (CA root, CA sub, VPN on TMG, client cert with client authentication). In my cert i have external crl. I
    try to on certificate with additional SAN-s (VPN server FQDN and IP address)
    When I try connect on ipad to tmg ipsec vpn I found that error on logs:
    EventId: 4653
    An IPsec main mode negotiation failed.

    Local Endpoint:
    Local Principal Name: -
    Network Address: x.x.x.x
    Keying Module Port: 500

    Remote Endpoint:
    Principal Name: -
    Network Address: x.x.x.x
    Keying Module Port: 500

    Additional Information:
    Keying Module Name: IKEv1
    Authentication Method: Unknown authentication
    Role: Responder
    Impersonation State: Not enabled
    Main Mode Filter ID: 81468

    Failure Information:
    Failure Point: Local computer
    Failure Reason: Policy match error

    State: No state
    Initiator Cookie: 125c19e98ad1d2fc
    Responder Cookie: 12c37763603c8b13

    So maybe any one can help me ? Whot I do wrong ?

    Thanks a lot.

    DB:2.67:Tmg: Ipsec + Ipad 19

    Hello Nick - Thanks a lot for respond,
    I found this: http://help.apple.com/iosdeployment-vpn/?lang=en-us#app36c9653d
    and apple say:
    Authentication methods

  • RELEVANCY SCORE 2.67

    DB:2.67:How Do I Generate Ipsec Computer Certificates Using A 3rd Party Ca sp


    Hi,
    I'm interested in establishing an IPSEC connection between a Windows 2008 Server and a Unix/Linux Server, while using computer certificates for authentication/encryption. Can anyone provide definitive guidance as to what needs to be in the Certificate Signing
    Request if I intended to have the certificate signed by a third party (either a tool like OpenSSL or an established 3rd party CA). Lets just assume that the windows admins don't want to take on the Certificate Authority role right now, to the AD CA is not
    an option.
    I am aware that in either case I will need to add either my custom root CA cert or the 3rd party's intermediate cert to the certificate store of each machine, however what is not clear is what goes in the CSR. Extensive googling has led me to a few hints.
    Here is what I have found so far
    1)
    The process for manually generating the CSR for a 3rd party CA with full control of the contents
    2) A suggested list of fields required in the CSR for IPSEC
    3) Confirmation that the FQDN of the computer
    must be present in either the Common Name or Subject Alternative Name field of the Certificate
    However given that information was found in bits and pieces around the internet, I would still like to confirm that the above statements are correct and hopefully get answers to the following:
    a) When using the Subject Alternative Name, can the Common Name be blank or must it contain a value?
    b) Can the Common Name be a wildcard value? e.g *.microsoft.com
    c) Must the IP address be specified in the SAN field as well?
    d) Has anybody actually used a 3rd party CA (Versign, Thawte, etc) to sign a cert for IPSEC? What about another non-MS CA provider or tool?

    DB:2.67:How Do I Generate Ipsec Computer Certificates Using A 3rd Party Ca sp

    by default IPsec tries to verify certificate revocation status, but it fails (when revocation status could not be dtermined), connection is allowed. In Windows Server 2008/2008 R2 you still need to configure registry to enforce strict revocation checking.My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com

  • RELEVANCY SCORE 2.67

    DB:2.67:Need Help Starting Iscsi San Cert ax


    I've never done a storage certification for Windows and can't seem to find out where and how to even begin. Looking to certify our iSCSI SAN for Windows Server 2008 R2 x64.
    Can someone please let me now where to get the cert guide and how to engage support for an iSCSI SAN cert question.

    DB:2.67:Need Help Starting Iscsi San Cert ax

    UPDATE:
    I found that on this page...

    http://msdn.microsoft.com/en-us/library/windows/hardware/jj124377.aspx
    ...it describes having some iscsi volume already created, mounted up, partitioned and formatted BEFORE installing the HCK. So I went to the HCK on the controller server and changed my test clients to Not ready status, as seen in this screenshot...

    ...Then I presented some iSCSI volumes to the clients, partitioned them, mounted them and formatted them. THEN I changed the clients in the HCK on the controller BACK to the Ready status. Once I did this 2 lines (one for each volume I presume) with my
    iSCSI device showed up in the device manager list. I checked them and then clicked on the Tests tab which then showed a list of storage specific tests!

  • RELEVANCY SCORE 2.67

    DB:2.67:Perimeter Network To Rodc - No Logon Servers Available Using Ipsec Tunnel dm


    Hi to all
    I have problem with RODC and Perimeter Network.
    Here is my situation
    I've got Network 192.168.1.0/24 that has two (2) Writable Domain Controllers based on Windows 2008 R2

    I'd created second routable network 172.16.0.0/24 that has one Read-Only Domain Controller .
    Between the networks there is a firewall configured only for DNS TCP/UDP traffic and UDP 500 (IKE) . I'd created IPSEC Tunnel Between WRDC and RODC using Windows Firewall with Advanced Settings .

    All of the domains and server in both networks are working fine (replication,SMB, network time, DNS etc)
    After that I wanted to create another perimeter network with only one server that will be connected to my corporate domain . So again with Windows Firewall and UDP IPSEC Tunneling I created connection from my third network to my RODC . The third network
    is routable and it address space is 10.10.10.0/24
    Again : I can ping RODC from the third network , and using Office domain Join I added Windows 2008 R2 Server to the Corporate domain.(pre-created account is replicated to RODC)
    When I reboot the server I can't login with my domain credentials . IPSEC tunnel to RODC is working fine from 10.10.10.0 to RODCand RODC toWRDC.
    I've created AD Site Links and Subnets to point RODC but again nothing is working. If I join Servers to RODC Network they are working fine and authenticate correctly . The only problem is that i can't authenticate to RODC from the 3rd network .
    Any ideas ?
    BTW : IPSEC tunnel is configured for now with Pre-Shared Keys. No one should connect directly to WRDC . Every server(s) should be in separate network with limited open Firewall port
    I can provide some diagram for better understanding my situation

    DB:2.67:Perimeter Network To Rodc - No Logon Servers Available Using Ipsec Tunnel dm

    Wow that was easy :)
    I had to add registry key to point AD Site and now everything is perfect

    That was the guide for RODC and Perimeter Networks

    http://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx
    The registry key

    Navigate to: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

    In the right pane, create a new String Value titled SiteName
    and for the Value Name type the name of the site in which the client computer resides.

  • RELEVANCY SCORE 2.67

    DB:2.67:Local Ipsec Policy Windows 2008 99


    Hi,
    I am trying to establish IPSEC communication between a Windows 2008 Domain Controller and Windows 2008 Workgroup Server. I have configured the IPSEC policy in the Domain Controller Policy and allowed all traffic through that IPSEC. I have configured it under
    Computer Configuration - Security Settings- IPSEC Policies. The Windows Firewall is disabled. When I am rebooting the server I can see the same getting applied by running RSOP.MSC
    Same thing I am doing in Windows 2008 Standalone server but in local policy. But after rebooting I am not able to see anything under IPSEC policy by running RSOP.MSC. Windows Firewall is disabled here also
    The communication between servers is not happening. There is no error/warning in the EventVwr related to this.
    I tried to delete and recreate Policy several times but no avail.
    Please suggest

    DB:2.67:Local Ipsec Policy Windows 2008 99

    If you want to use the old IPSec policy engine in Win2008 and above you need to use the IPSec monitor MMC snap-in to see what policy is applied and monitor the IPSec SA's and statistics.
    Make sure the IPSec Policy Agent service is running on your server to be able to utilize the policy.
    /Hasain

  • RELEVANCY SCORE 2.67

    DB:2.67:Question About Idfw Authentication Through Ad Server. p8



    Hi All,

    My company has an ASA 5515-X firewall,which has installed two types of VPN connector ,SSL Anyconnect and IPsec VPN client(yellow lock icon),

    we are using VPN through Windows Server 2008 R2 as a LDAP authentication server and we are using user-identity insteal of IP-based ACLs.

    However,If i selected IPsec VPN client connect to firewall then everything is fine,firewall can shows up the correct user-informations (includes mapping IP and Domain name/user account ... etc).

    Unfortunate,If i selected SSL Anyconnect then that user-informations will be incorrect (The user-informations will shows LOCAL/user-account,that

    caused my user-based ACLs are failure) but which still can works even though it is blocked by ACLs.

          

    My atteched is part of config,please check it. Thanks!

    DB:2.67:Question About Idfw Authentication Through Ad Server. p8


    Hi All,

    My company has an ASA 5515-X firewall,which has installed two types of VPN connector ,SSL Anyconnect and IPsec VPN client(yellow lock icon),

    we are using VPN through Windows Server 2008 R2 as a LDAP authentication server and we are using user-identity insteal of IP-based ACLs.

    However,If i selected IPsec VPN client connect to firewall then everything is fine,firewall can shows up the correct user-informations (includes mapping IP and Domain name/user account ... etc).

    Unfortunate,If i selected SSL Anyconnect then that user-informations will be incorrect (The user-informations will shows LOCAL/user-account,that

    caused my user-based ACLs are failure) but which still can works even though it is blocked by ACLs.

          

    My atteched is part of config,please check it. Thanks!

  • RELEVANCY SCORE 2.66

    DB:2.66:Directaccess Server 2012 - Ipsec Not Working 1x


    I had DA working in 2008R2 Win7. I turned off that server and disabled the GPO's that were created. I installed Server2012 with 1 NIC (same servername as 2008 server). I joined it to the domain and obtained a computer cert for it
    from my internal enterprise CA. I have moved the public IP's behind a 1 to 1 NAT. On the Operations Status page it indicates that IPsec is critical. There is no valid certificate to be used by IPsec which chains to the root/intermediate
    certificate configured to be used by IPsec in the DirectAccess Configuration. For a resolution I'm supposed to make sure:
    1. Cert not expired (expires in 2016)
    2. Should have a private key (might be this one)
    3. Should be configured to be used for Client Authentication (perhaps)
    4. Should chain to the root/intermediate cert. (it is the root!)

    The cert that is selected is my Entperise Root CA (we don't have an intermediate CA).

    Powershell Get-DAServer shows this
    PS C:\Users\administrator.mydomain Get-DAServer

    DAInstallType : FullInstall
    InternetInterface : Ethernet
    InternalInterface : Ethernet
    ConnectToAddress : Home.mypublicdomain.com
    SslCertificate : [Subject]
    CN=*.mypublicdomain.com, OU=Secure Link SSL Wildcard, OU=IT, O=My Business
    Name
    , STREET=35My Rd, STREET=Suite ,
    L=Columbus, S=OH, PostalCode=12345, C=US
    [Issuer]
    CN=Network Solutions Certificate Authority, O=Network Solutions L.L.C.,
    C=US
    [Serial Number]
    46XXXXXXXXXXXXXXXXXXXX99C54XXXXX
    [Not Before]
    4/8/2012 8:00:00 PM
    [Not After]
    3/27/2014 7:59:59 PM
    [Thumbprint]
    F9XXXXXXXXXXXXXXXXXXXX773674A45XXXXXXXXD
    GpoName : mydomain.local\DirectAccess Server Settings
    InternalIPv6Prefix : {xxxx:yyyy:6821:1::/64}
    ClientIPv6Prefix : xxxx:yyyy:6821:1000::/64
    UserAuthentication : UserPasswd
    ComputerCertAuthentication : Enabled
    IPsecRootCertificate : [Subject]
    CN=CompCA, DC=mydomain, DC=local
    [Issuer]
    CN=CompCA, DC=mydomain, DC=local
    [Serial Number]
    6949XXXXXXXXXXXXXXXXXXXXXXXX3FF5
    [Not Before]
    8/12/2009 3:11:36 PM
    [Not After]
    8/12/2016 3:21:34 PM
    [Thumbprint]
    B9XXXXXXXXXXXXXXXXXXXX95642B978XXXXXXXXX
    IntermediateRootCertificate : False
    TeredoState : Disabled
    IsSingleNic : True
    IsNatDeployed : True
    HealthCheck : Disabled

    How can I fix this? Do I have the wrong certificate selected for the IPsec cert? If so, how do I change it? I can purchase a new public cert or obtain a new cert from my internal CA. I'd rather not set up an intermediate CA if I don't
    have to.

    DB:2.66:Directaccess Server 2012 - Ipsec Not Working 1x

    That was my understanding, but let me check...the IPsec/AuthIP code may specifically look for specific EKUs or something...Jason Jones | Security Consultant | Microsoft Consultant Services (MCS)

  • RELEVANCY SCORE 2.66

    DB:2.66:Can A Cisco 881 Router Create An L2tp/Ipsec Tunnel Via Nat To Windows 2008? xp



    Hi

    Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:

    Client - 881 - NAT - internet - Windows 2008 RRAS

    The tunnel goes form the 881 to the Windows server (not from the client...).

    Thanks

    Roland

    DB:2.66:Can A Cisco 881 Router Create An L2tp/Ipsec Tunnel Via Nat To Windows 2008? xp


    cisco sends L2TP Start-Control-Connection-Request (SCCR) 3 times and after that stops.

    its happens in a loop.

    no Event logs in Windows RRAS

    on Windows server with Netmon i cann see that packets from cisco arrives.

    I can connect to windows RRAS with windows client (like a test) w/o issues.

  • RELEVANCY SCORE 2.66

    DB:2.66:Requesting/Issuing User Certificates For Ipsec Vpn jp



    Hello all,

    So I have an ASA set up with connection to a LDAP, a signed SSL certificate for the device cert and am using IPSEC IKEv2 VPN connections that are authenticated by X.509 certificates as well as LDAP username and password.

    I have a Windows server 2012 Root CA server (offline state) and a Windows server 2012 Subordinate CA server. Both are 10-year Certification Authorities.

    To generate the VPN certs I go to the Sub CA, go to certificates (local computer) Personal Right-click white space All Tasks Advanced Operations Custom Request. 

    I configure my cert accordingly and enable private key export.

    I submit new request to the Cert. Authority service on the Sub CA (same machine as before). I issue the certificate then export the certificate with the private key. I send this to my user, then they install this certificate in their Personal certificate store and have access to the VPN using this cert plus the username and password they were assigned (no there is no possibility for them to request from their own PC)

    Question 1: Is there an easier way to do this? Command line? Script? pre-configured .ini file with certificate settings?

    Question 2: These certificates are only 1-Year. How can I generate certificates that are longer than that. I'm hopping for 3 years. 

    Thanks!

    _J

    DB:2.66:Requesting/Issuing User Certificates For Ipsec Vpn jp


    You're welcome.

    Please take a moment and rate my reply and/or mark the question as answered if you feel it has been.

    Good luck with the enterprise CA.

  • RELEVANCY SCORE 2.66

    DB:2.66:Replacing Expiring Ssl Cert jj


    Current Environment:
    Single Exchange 2007 server on Windows Server 2003 R2 SP2
    2008 R2 Active Directory
    Split DNS (internal name and external name); otherwise our public DNS is actually network solutions

    Question:
    I currently have a single name SSL cert in place on the Exchange server. We have a need for a wildcard cert now and I am wondering what 'Gotchas' I may have to look out for. Our current cert expires in a few weeks and I ( like everyone else )
    would really like as little pain and downtime as possible.
    Is it really as simple as
    outlined here?
    We already have the cert and it is from 'Go Daddy'

    DB:2.66:Replacing Expiring Ssl Cert jj

    Sorry for the late reply.
    If the SSL were simply just for Exchange I wouldn't have much of an issue. My issue is that we currently have an SSL in place for mail.company.com - and that is all that is in the cert (expiring mid-June)
    They've already purchased a wildcard cert that we need to use on multiple systems; however, I seem to be understanding that it is not going to be easy to replace the current SSL with this new wildcard cert.

  • RELEVANCY SCORE 2.65

    DB:2.65:Ipsec With A Third Party Ssl Cert (Godaddy/Digicert) 77


    I have the task of either setting up LDAPS or IPSec to allow a third party support team to connect to our Active Directory. We can either use LDAPS or IPSec. I would like to use a third party certificate for this reason. Any recommendations
    on either LDAPS or IPSEC? Also, I have been scavenging the forums to find information to allow IPSec to work with a third party cert and cannot find anything. SSL VPN isn't an option as well.

    The VPN would be running Server 2008 R2 with NAP.

    DB:2.65:Ipsec With A Third Party Ssl Cert (Godaddy/Digicert) 77

    Thanks for this info. Though I might go for the LDAPS route, how does this request look for a third party cert.

    [Version]
    Signature=$Windows NT$
    [NewRequest]
    Subject = CN=dc1.place.com ; replace with the FQDN of the DC
    KeySpec = 1
    KeyLength = 2048
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = Microsoft RSA SChannel Cryptographic Provider
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
    [RequestAttributes]
    CertificateTemplate = DomainControllerAuthentication
    SAN=dns=dc1.place.comdns=74.32.XX.XXX

  • RELEVANCY SCORE 2.65

    DB:2.65:How To Establish An Ecc P-256bit Based Root Ca To Issue Ipsec Certificates 13


    Hi Users,
    I am new to microsoft CA services. Let me 1st explain the scenario.
    We have to establish a one level ECC P-256 bit based Root CA. This CA can be enterprise or stand alone because we shall just use this CA to directly issue ECC based certificates for IPSec devices via the Microsoft CA web interface. We shall not be using
    the OCSP responder.
    I have done some basic work by establishing a stand alone ECC P-256bit ROOT CA on Windows Server 2008 R2 standard edition. Problem is that when i go to request IPsec certificate, the ECC P-256 CSP is not showed in the list. How can i enable the ECC CSP to
    get request of ECC certificates ?
    Please guide me in this respect.
    Regards

    DB:2.65:How To Establish An Ecc P-256bit Based Root Ca To Issue Ipsec Certificates 13

    which you told that they can not be requested by web Interface
    forget this part. Certificate templates are used only with Enterprise CAs. Standalone CAs never use certificate templates. Also, template version and certificate version are different things. Microsoft CA (starting with Windows 2000 Server) always issue
    only version 3 certificates (since this is a internet standard). Certificate template version ir Microsoft's proprietary identification number to distinguish certificate templates by issuer level.
    It means for ECC requests, i have to follow manual request method as described above?
    yes.My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference:
    on TechNet wiki

  • RELEVANCY SCORE 2.65

    DB:2.65:Rras + Ipsec Tunnel jf


    I have a Windows Server 2008 R2 Server running RRAS. I'm attempting to establish a site to site VPN with a Cisco router via an IPSec tunnel.I followed the instructions in this KB article: http://support.microsoft.com/kb/816514I couldn't follow them exactly, as I'm using 2008 R2, but most of the dialogs were the same.When I go to test my setup via a ping, I just get request time out. When I use Network Monitor to examine the traffic, I see that the ICMP requests are *not* being encrypted via IPSec, nor is there any IPSec negotiation. In addition, the IP Security Monitor MMC shows my policy/filters, but does not show any statistics. So it seems like the IPSec filters are not being applied to my traffic, so no tunnel is being established. How can I further debug this issue?

    DB:2.65:Rras + Ipsec Tunnel jf

    I figured it out. There were three problems.The first issue was that no traffic that originated from my RRAS machine was having the IPSec policies applied to it. No idea why. Traffic from another machine on my internal network that used the RRAS as its gateway has the IPSec applied fine.The second issue was that the SA Lifetime was being sent as 0 (infinite) despite the fact that it looked like it was set to the default of 8 hours. I had to change this value by editing the Filter Action, editing the security method and setting it to Custom, and then checking the Generate a new key every option and setting that to 28800 seconds.The third issue was caused by the fix to the first issue. I had both Data and address integrity without exception and Data integrity and encryption checked. This was causing problems. Unchecking the first option allowed the tunnel to be established.Of course, things still don't work due to the fact that the machines on my network sending traffic over the tunnel are behind a NAT and are having their source IP changed by the NAT, but that's a seperate question.

  • RELEVANCY SCORE 2.65

    DB:2.65:Outlook 2007 Always Asks To Verify Certificate zx


    Using Outlook 2007 on Win 7 Pro 64bit
    Using Exchange 2007 w/ Server 2008

    Everytime any client opens outlook with an exchange account configured, it asks them to verify the certificate twice.

    Our internal domain name is zeropoint.net. Our website domain name used on our certificate for OWA is mails.zeropointusa.com. We have only two certs installed, the OWA one and a selfsigned one that uses our internal domain name. The OWA cert is enabled for
    IIS, IMAP, POP, and SMTP. The selfsigned cert is enabled for SMTP.

    When the user starts Outlook, the name at the top of the cert window is the internal domain name, but when I click the button to view the cert info, it shows the cert for OWA.Microsoft Windows Server 2008 Standard Microsoft Exchange 2007

    DB:2.65:Outlook 2007 Always Asks To Verify Certificate zx

    Hi,

    Are the outlook clients working in your domain or outside?

    This problem can be caused by the incorrect Internal URL. Please try to modify the URLs
    for the appropriate Exchange 2007 components. To do this, follow these steps:

    1.Start the Exchange Management Shell.

    2.Modify the Autodiscover URL in the Service Connection Point. The Service Connection
    Point is stored in the Active Directory service. To modify this URL, type the following command, and then press ENTER:

    Set-ClientAccessServer -Identity
    CAS_Server_Name -AutodiscoverServiceInternalUri https://mails.zeropointusa.com
    /autodiscover/autodiscover.xml

    3.Modify the InternalUrl attribute of the EWS. To do this, type the following command,
    and then press ENTER:

    Set-WebServicesVirtualDirectory -Identity CAS_Server_Name\EWS (Default Web Site)
    -InternalUrl https://mails.zeropointusa.com /ews/exchange.asmx

    4.Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To
    do this, type the following command, and then press ENTER:

    Set-OABVirtualDirectory -Identity CAS_Server_name\oab (Default Web Site) -InternalUrl
    https://mails.zeropointusa.com /oab

    5. Run IISreset to restart IIS services.

  • RELEVANCY SCORE 2.65

    DB:2.65:Ipsec Between Windows 2008 R2 And Xp jm


    I successfully setup IPsec on windows 2008 R2 server. I copy the ipsec policy file to a windows 7 client, and after configuring the firewall advanced security on both sides, i get IPSec to work beautifully.

    Now, how do i configure an XP client? does anyone know? i can import the IPSEC policy file to windows xp client just fine, but there is not firewall advanced security feature on XP. Just importing the ipsec policy file isn't good enough to make it work.
    It doesn't even show up on main mode.

  • RELEVANCY SCORE 2.64

    DB:2.64:Ipsec And Apache Tomcat ja


    Hi All,
    I have setup a Windows Server 2008 as a VPN server. I can establish preshared key IPSec VPN connection from my client. I also have a apache tomacat webserver running on the server 2008 machine.
    In normal cases if the client is in the same network it can talk to the webserver through port 8080.
    How do I configure the Apache Tomcat to only accept connections from client only if it is connected through IPSec? Is this possible?
    Thanks In Advance,
    Perumal

    DB:2.64:Ipsec And Apache Tomcat ja

    Yes, but how does you connection security rule look like exactly?
    What have you done exactly on the server and the client? What is failing? The IKE negotiation? How are clients autenticatin the IPSec in transport mode?You have to be more specific for us to be able to help you.
    To be honnest, I don't think it is a good idea to run a internalwebserver on a VPN server, but that is my personal opinion.// Fredrik DXter Jonsson - http://www.poweradmin.se

  • RELEVANCY SCORE 2.64

    DB:2.64:Rms Certificate Error sj


    am facing a problem with the AD RMS certificate, am using internal PKI (Windows 2008 R2) when configure the web cert for the AD RMS the URL must be rms.mydomain.com my server name is RMS-Server, so when i install this cert it give me that this certificate
    has been issued to different web site, i already created a CName record in my dns.
    how can i make this cert work ?

    DB:2.64:Rms Certificate Error sj

    Well the steps sound correct seems more like an issue with the SSL cert rather than the ADRMS.

    CAn you check the certificate via the MMC and verify the Subject field entry?
    Secondly verify it has been issued via the Webserver template What have you chosen for the ADRMS default website? If it's the default website, access default website via the IIS Manager and check if the cert has already been loaded there
    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter:
    @cyquent

  • RELEVANCY SCORE 2.64

    DB:2.64:L2tp Connection Failed 93


    Hey guys.
    i want create ipsec/l2tp vpn connection on windows server 2008.
    so i installed Active Directory , DNS , certificate authority and Routing and Remote Access Service.
    now i want connect to windows server with ipsec/l2tp vpn connection. so i created vpn connection and at first i used pre-shered key for ipsec/l2tp vpn. every thing goes just fine.

    but when i tried to use the certificate for establish the connection this error happened:

    i requested user authentication, server authentication and IPSEC certificate via Web enrolment and added to certificates- current user and certificate(local computer).
    and added CA certificate, certificate chain, or CRL to trusted root certificate authorities and intermediate certification authorities.

    im really confuse and dont know where i did wrong!
    my serevr configuration is based on:
    SSTP Remote Access Step-by-Step Guide: Deployment
    and please look at this picture which i takken from my client and server:
    more Info
    if you need more information let me know.
    thanks.

    DB:2.64:L2tp Connection Failed 93

    Why no one answer to me?
    did i post in wrong forum?

  • RELEVANCY SCORE 2.64

    DB:2.64:Windows 7 L2tp/Ipsec Mit Psk Zu Windows 2008 Rras Nicht Mglich / Weak Encryption 39


    Ich hatte bisher Windows Vista und Windows 7 Clients, die eine VPN Verbindung zu Windows 2003 RRAS aufbauen.Nach dem Wechsel zu Windows 2008 ist dies nicht mehr mglich. Unter Windows 2008 wird DES und MD5 abgeschaltet.Deshalb keine Verbindung.Man kann das ganze wieder aktivieren, luft auch problemlos.Mein Frage:Wie bekomme ich Windows 7 dazu L2TP/Ipsec mit Strong Encryption also dem Windows 2008 Standard zu arbeiten!Der RRAS Server wird von einer Firewall (TMG 2010) geschtzt.

    DB:2.64:Windows 7 L2tp/Ipsec Mit Psk Zu Windows 2008 Rras Nicht Mglich / Weak Encryption 39

    So, der Fehler ist gefunden.Liegt weder am Windows 7 noch an den Encryption Settings.Liegt schlicht und einfach am Windows 2008 R2 , scheint ein Bug oder Feature zu sein!Windows 2008 R2 kommt mit diacritic marks nicht zurecht, mit Windows 2003/ISA 2006 kein Thema. Mit Windows 2008 hab ich noch keinen Test gemacht.

  • RELEVANCY SCORE 2.64

    DB:2.64:Hyper-V @ Ipsec 11


    При настройкеIPsec вфильтрезапрещено (Мой ip-адрес источник Любой ip-адрес назначение протокол TCP) и при приенении фильтра подключиться к виртуальной ашине черездиспетчер на Hostене возожно. В че ожет быть дело? И как
    решить эту проблеу? (Host - OS Windows Server 2008 R2 Guest - OS Windows Server 2008 R2)

    DB:2.64:Hyper-V @ Ipsec 11


    Теа переведена в разряд обсуждений по причине отсутствия активности
    Мнения, высказанные здесь, являются отражение оих личных взглядов, а не позиции корпорации Microsoft. Вся инфорация предоставляется как есть без каких-либо гарантий
    Follow us on Twitter

    Посетите Блог Инженеров
    Доклады на Techdays:
    http://www.techdays.ru/speaker/Vinokurov_YUrij.html

  • RELEVANCY SCORE 2.64

    DB:2.64:Dual Booting A Workstation And Adding Server 2008 For Cert Training (At Home) c1



    Applies To:
    Windows |
    Other/Unknown |
    Install, Upgrade and Activate

    DB:2.64:Dual Booting A Workstation And Adding Server 2008 For Cert Training (At Home) c1

    You could use Oracle's VIRTUAL BOX
    to run the server as a Virtural Machine on your Windows 7 system.
    I have a Dell Optiplex 760 3Ghz, 4G RAM, 400Gb HDD with Win 7 64 bit.
    Running Server 2008 Enterprise (Technet Subscription) on the Virtual Machine.
    Free Download, and so far it's Excellent.
    ArtNot Everything that is faced can be changed. But, nothing can be changed until it is faced.

  • RELEVANCY SCORE 2.64

    DB:2.64:Windows 2003 Ipsec Delay Following Machine Reboot df


    I am experiencing about a 5 minute delay following the reboot of my Windows 2003 IPSec boundary servers until they can sucessfully communicate with othe IPSec boundary machines.
     
    Example:
       1. Reboot Windows 2003 IPSec boundary machine. The machine is configured in accordance with Microsoft's IPSec Domain and Server Isolation guide as a boundary machine.
     
       2. Wait until server boots to the logon screen and begin a continuous ping  to the server from another boundary machine. Start timer.
     
       3. It takes about 5 minutes until the server will successfully answer a ping. During this time you can log onto the server and communicate with the DC (IPSec Exclusion Policy for DCs).
     
       4. 5 minutes pass and ping begins to succeed.
     
       Does anyone know why there is a 5 minute delay following a server reboot for Windows 2003 boundary machines to communicate? Is there a known method to lessen the delay? If I remove the IPSec policy from the machine the 5 minute delay following a reboot does not occur.
     
         Thank You,
               Greg
     
    P.S. Sorry about posting in the Windows 2008 forum, but I could not find a Windows 2003 forum.
    PPS. Does the delay occur with Windows 2008 server?

    DB:2.64:Windows 2003 Ipsec Delay Following Machine Reboot df

    This forum is for Windows Server 2008. Please repost your question in the Windows 2003 newsgroup. You'll find all newsgroups here: http://www.microsoft.com/technet/community/newsgroups/default.mspx
     

  • RELEVANCY SCORE 2.64

    DB:2.64:Need To Change Used Certificate, But Dont Know Where cs


    Hey there,

    I have a nice Mail Exchange Server 2010 and also set up a custom CA for cerificates. My problem is that the server uses the wrong certificate to authenticate. With this wrong cert the host name is wrong desolved. The problems are as following:
    -Outlook clients get a nasty pop up warning that the host of the certificate can't be resolved
    -Outlook Anywhere is impossible to use, because you NEED a cert that resolves the host correctly

    Now I already made a new cert and assigned all serves possible in the EMC under Server Configuration. However the server still uses the wrong cert. My new cert has CN = servername.domainname.com the wrong cert uses WMSvc-Servername.
    No wonder that the adresses can't be resolved. This looks like some default cert and it was made at the day I set up my Windows Server 2008 R2 for the first time. I can't delete this, because Pop3 and other email client services will stop working.

    I simply want to use a different cert than WMSvc-Servername or edit it somehow Can somebody help me please?

    DB:2.64:Need To Change Used Certificate, But Dont Know Where cs

    Hi Bauzi

    Sure itmaybe some delay to use the new CERT, it is odd thing, sometimes work immediately, need to reboot the server. Or, you just could reboot the IIS.

    Regards!
    gavin

  • RELEVANCY SCORE 2.64

    DB:2.64:Ipsec Setup In Container 3z





    Hi,

    I got a problem to setup ipsec in my container which running Windows server 2008. It use it to connected with opposite with firewall. I have successful setup IPsec from host machine with opposite site firewall, so I sure the setup is correct but still fail when setup at container. I have already trun on VPN with command

    vzctl set CTID --vpn on --save

    but still fail. Could you please advise?

    Thanks!

    DB:2.64:Ipsec Setup In Container 3z




    Hi,

    I got a problem to setup ipsec in my container which running Windows server 2008. It use it to connected with opposite with firewall. I have successful setup IPsec from host machine with opposite site firewall, so I sure the setup is correct but still fail when setup at container. I have already trun on VPN with command

    vzctl set CTID --vpn on --save

    but still fail. Could you please advise?

    Thanks!

  • RELEVANCY SCORE 2.63

    DB:2.63:Ipsec Default Exemptions For Server 2008 R2 xk


    Hello Everyone, We are using IPsec in our domain environment all servers are windows server 2003 and 2003 R2. Now we are upgrading to server 2008 R2. With Windows server 2003 and 2003 R2 we used exempt some traffic from IPsec now with Windows Server 2008 R2 we are having problem to exempt this traffic. With 2003 we were changing registry key; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC and changing the value; NoDefaultExempt 0 With Server 2008 R2 we could not figure out to set this settings. Can anybody have any idea how to do that? Thank you, Any input greatly appreciated. Orhan Taskin

    DB:2.63:Ipsec Default Exemptions For Server 2008 R2 xk

    Hello Orhan,
    From: support[dot]microsoft[dot]com/default.aspx?kbid=811832- Titled IPsec default exemptions

    NoteIn Windows Server 2008 and in Windows Vista, the registry key is:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

  • RELEVANCY SCORE 2.63

    DB:2.63:Small Rd Setup Via Server 2012 Not Working With Certs From Our Internal Ca c9


    Hi,

    I'm having trouble with a small installation of Remote Desktop which is supposed to be accessed from outside our network. I'm using a Server 2012 system for all RD roles (TS, gateway, web access, and broker, although we shouldn't actually need the latter
    two). This is the only 2012 system in the network; we have two DCs, 2008 and 2008 R2, and we have cert root and issuing authorities also on 2008 R2. Our Internet-based clients trust our root cert and the PKI is working ok for other (non-RD) servers.

    Things work fine if the RD Connection Broker - Enable Single Sign On certificate is a self-signed cert generated by Server Manager on the 2012 box. However, if I assign a cert from our issuing CA to that role, it doesn't work. Interestingly, it
    works fine if the *other* certs (RD Gateway, RD Web Access, and RD Connection Broker - Publishing) are from our CA. (Now, when I say works fine I mean after ignoring a security warning on the client due to the Broker SSO cert not being trusted.)

    The procedure I'm using for the certs is as follows:

    1. Make a cert template based on the Web Server 2008 built-in template with some straightforward changes, and make the issuing CA use the template. Initially I had upped the crypto strength and made several extensions critical, but for troubleshooting
    I made a template without those changes and it still doesn't work.

    2. Request a new cert via the Certificates snap-in on the 2012 machine, on the local computer account. Initially I was using a friendly name for the Subject CN and then using a DNS Alternative Name extension to give the 2012 box' external domain
    name. To be more sure for testing, I used the external domain for the Subject CN and then also provided DNS Alternative Names for both the external and internal domains (which are subdomains of the same domain). For crypto provider, we use RSA,Microsoft
    Software Key Storage Provider and disable the others.

    Internet connections come in via some tricky DNAT but I don't think this is the problem as it works perfectly from outside with a self-signed cert for Broker SSO. Only our internal DNS knows about the internal domain.

    3. Manually issue the cert on the CA. (Our site is small and for security we require manual issuance for all certs.)

    4. Export the cert from the CA via PKCS #7, with the option to include all certs in the cert path, and then import this in the Certificates snap-in on the 2012 machine.

    5. On the 2012 box, export the private key via PKCS #12 and include all certificates in the certification path if possible. For troubleshooting I also tried Export all extended properties and it didn't fix the issue. I'm exporting with
    password protection.

    6. In Server Manager-Remote Desktop Services-Overview, on the Deployment Overview, I pick Tasks-Edit Deployment Properties and use the Select existing certificate... button for the desired role on the Certificates page.

    If the RD Connection Broker - Enable Single Sign On certificate is from our CA via the above procedure, then attempting to log on from the Internet gives an error on the client reading:

    Your computer can't connect to the remote computer because the Remote Desktop Gateway and the remote computer are unable to exchange policies. This could happen due to the following reasons:
    1. The remote computer is not capable of exchanging policies with the Remote Desktop Gateway.
    2. The remote computer's configuration does not permit a new connection.
    3. The connection between the Remote Desktop Gateway and the remote computer ended.
    Contact your network administrator for assistance.

    My test client is Windows 7 SP1, if memory serves with an update manually installed to upgrade to RDP8.

    The logs on the client show nothing unusual. In the System log on the Server 2012 box I get two errors:

    ID 36874
    An [sic] TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    followed by:

    ID 36888
    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

    I found some advice that this error may be the result of the cert not being a CNG cert. The CA is 2008 R2, the domain has always been at least 2008 functional level (was originally 2008 and recently schema updated for 2008 R2), and only 2008 R2 CAs have
    ever been used on it. I have furthermore verified by dumping the cert store that under CERT_KEY_PROV_INFO_PROP_ID, ProviderType and KeySpec are both zero, which in my understanding means this is a CNG cert.

    To reiterate, the problem does *not* happen if I replace the RD Connection Broker - Enable Single Sign On certificate with a self-signed cert created by Server Manager.

    The test cert I'm trying to use for RD Connection Broker SSO has the following info:

    Version=V3
    Signature algorithm=sha512RSA
    Signature hash algorithm=sha512
    Issuer=our issuing authority
    Valid to=two weeks today (it's just for testing)
    Subject=external.domain.com
    Public key=RSA (2048 Bits)
    Template=Test - Delete Please(1.3.6.1.4.1.311.21.8.5198179.16696210.7229373.7348787.5553704.31.11896299.7938212)
    Major Version Number=100
    Minor Version Number=2
    Enhanced Key Usage=Server Authentication (1.3.6.1.5.5.7.3.1)
    Key Usage=Digital Signature, Non-Repudiation [turned this on as a test], Key Encipherment, Data Encipherment (f0)
    Application Policies=
    [1]Application Certificate Policy:
    Policy Identifier=Server Authentication
    Subject Alternative Name=
    DNS Name=external.domain.com
    DNS Name=thebox.internal.domain.com

    Forgive me if I'm missing something obvious - I'm not a full-time netadmin and I'm new to RD and PKI. I hope someone can shed some light on this troublesome mystery.

    Thank you,
    Kevin

    DB:2.63:Small Rd Setup Via Server 2012 Not Working With Certs From Our Internal Ca c9

    I finally got this working. From what I can tell it was the fact that the SSO cert's crypto was too strong, at least for Windows 7 clients. It was 4096 bits with SHA512. When I set up a very similar PKI with 2048 bits and SHA256, it worked.

  • RELEVANCY SCORE 2.62

    DB:2.62:08 Server Ca Questions az


    2008 server CA QuestionsDoes A CA have be a DC for auto enrollment to work if you are using 2008 CA services with NAP for wireless deployment or can use a member server. Do you have to update the 2003 schema to run 2008 CA services?Please only direct answers yes or no would be helpful How can use PKI and wireless authentication for windows CE handhelds since they do not join the Domain. Machine based cert only using webenrollment ?  Any on this would be greatThanks

    DB:2.62:08 Server Ca Questions az

    Hi Jerry,Q: Does A CA have be a DC for auto enrollment to work if you are using 2008 CA services with NAP for wireless deployment or can use a member server. A: No. It can be a member server.Q: Do you have to update the 2003 schema to run 2008 CA services?A: No.Q: How can use PKI and wireless authentication for windows CE handhelds since they do not join the Domain. A: I am not very familiar with Windows CE. Please refer to http://msdn.microsoft.com/en-us/library/ms926458.aspx.Q: Machine based cert only using webenrollment?  A: Please rephrase the question. I am not sure I understand what you are asking.Please have a look at the NAP IPsec step by step guide. This uses a 2003 DC with CA on a member server and also employs autoenrollment for exemption certificates. I think this answers most of your questions above.Thanks,-Greg

  • RELEVANCY SCORE 2.62

    DB:2.62:Webdirect - Showing Blank Screen After Installing Ssl Cert 7j



    Hi,

    After installing a ssl cert and restart the server, everything is becoming not sable.

    Environment: windows server 2008 R2

    FMS: Filemaker server ver 13.0.2.295

    I have encountered the same problem as mac89

    http://forums.filemaker.com/posts/efbb794457?commentId=290219#290219

    Any help would be much appreciated. Everything works fine before having the ssl cert installed.

    Thanks.

    Oliver

    DB:2.62:Webdirect - Showing Blank Screen After Installing Ssl Cert 7j


    Hi,

    After installing a ssl cert and restart the server, everything is becoming not sable.

    Environment: windows server 2008 R2

    FMS: Filemaker server ver 13.0.2.295

    I have encountered the same problem as mac89

    http://forums.filemaker.com/posts/efbb794457?commentId=290219#290219

    Any help would be much appreciated. Everything works fine before having the ssl cert installed.

    Thanks.

    Oliver

  • RELEVANCY SCORE 2.62

    DB:2.62:Rvs4000 Ipsec Vpn fj



    We have used two Cisco RVS4000 to create the IPSec VPN between the main office and the branch office. The main office has SBS 2008. There is a Windows Server 2008 as the domain controller in the branch office. One branch office user has a laptop which is not in the domain, but his exchange account is set up in the Outlook. When he connects the laptop to the branch office network, he cannot connect to the exchange server and get the emails. Is there any configuration to set up in the router, server or Outlook? Thanks.

    DB:2.62:Rvs4000 Ipsec Vpn fj


    Thanks again. I will have a try.

  • RELEVANCY SCORE 2.62

    DB:2.62:Ipsec Group Policy Not Being Fully Applied? zd


    Hello,
    I am trying to setup IPSec communication between a server on the DMZ and servers behind the internal firewall. I have gone through the Using Microsoft Windows IPSec to Help Secure an Internal Corporate Network Server. http://www.microsoft.com/downloads/details.aspx?familyid=A774012A-AC25-4A1D-8851-B7A09E3F1DC9displaylang=en
    If I create a local IPSec policy on the DMZ sever, everything works. When I move the server to an OU that has the IPSec policy coming from a group policy and it breaks. In the IP Security Monitor, I see the active policy is coming from the group policy, but under Generic Filters and Specific Filers, it is empty. It is like the IPSec policy was not fully applied.
    Things I have tried without success
    HKLM\System\CurrentControlSet\services\IPSec\NoDefaultExempt to 1Completely turning off the Windows firewall.
    Nothing pops out in the event log. The sever in the DMZ is Windows 2008 R2 and the domain controller I am testing is Windows 2008 Service Pack 2. I have opened ESP, AH, ports 88 and 500 on the internal firewall. Just a FYI, we do have a Windows 2003 box on the DMZ with IPSec enabled, talking through the internal firewall to our LAN thathas beenworking perfectly for years now.Thanks for your insight.

    DB:2.62:Ipsec Group Policy Not Being Fully Applied? zd


    Hello,

    Thank you for your post here.

    To make us have a good understand of your environment, please help to collect the following informations:

    1. Please collect the Group Policy Result from the problematic Windows Server 2008 server which will contain the detail settings in the IPsec GPO.

    a) On the DC, process the Group Policy Result wizard to collect the data of RSOP in GPMC.
    b) Right click Group Policy Results--- Group Policy Results Wizard
    c) Choose Another computer to point to the problematic server
    d) Select that problematic user account and click next to collect the group policy result data.

    2. You may enable the IPSec audit on the problematic to verify what exactly happens on the IPSec rules.
    a) In the command prompt, type the following command. You can copy and paste this command into the Command Prompt window:
    auditpol.exe /set /SubCategory:MPSSVC rule-level Policy Change,Filtering Platform policy change,IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode,IPsec Driver,Other System Events,Filtering Platform Packet Drop,Filtering Platform Connection /success:enable /failure:enable
    b) Restart the Windows Firewall service by typing the following commands, ending each by pressing ENTER:
    net stop MPSSVC
    net start MPSSVC
    Enable IPsec and Windows Firewall Audit Events
    http://technet.microsoft.com/en-us/library/cc754714.aspx

    If you have any questions or concerns, please do not hesitate to let me know.

  • RELEVANCY SCORE 2.62

    DB:2.62:Ipsec In Clustering zk


    I was reading the Changes in FailOver Clustering document, and I noticed that IPSec was supported in Windows Server 2008 clustering, but I am having trouble getting extended information.Can anyone supply links to further data ?Thanks

    DB:2.62:Ipsec In Clustering zk


    IPSec is supported on Windows Server 2003 as well, this article discusses it:
    http://support.microsoft.com/kb/821839/en-us

    With Windows Server 2003 there are some timeout values associated with failover. By default it's 5 minutes, but you can set a registry value to reduce it to 2 minutes. The improvement in Windows Server 2008 is
    that we have solved this issue so there is no wait times associated with IPSec timeouts on failover.

    Thanks!!
    Elden Christensen
    Program Manager
    Windows Failover Cluster Group
    Microsoft Enterprise Server Products

    Of course, this posting wouldnt be complete without a nice, juicy disclaimer from our lawyers: This posting is provided AS IS with no warranties, and confers no rights. You assume all risk for your use. 2007
    Microsoft Corporation. All rights reserved.
    http://www.microsoft.com/info/cpyright.htm

    I came across this post while searching for information on using IPSec with a 2008 R2 failover cluster. I fail to understand how this is an answer for the original question as it doesn't provide any info on IPSec with 2008 failover clusters.

  • RELEVANCY SCORE 2.62

    DB:2.62:Windows 2008 Netsh Configure Ipsec But It Can Not Telnet zm


    HI
    Now I have a problem with config ipsec on windows 2008 sp1. I configued ipsec use the follow commands :
    netsh ipsec static del all
    netsh ipsec static add policy name=Windows_Center
    netsh ipsec static add filteraction name=m_block action=block
    netsh ipsec static add filteraction name=m_permit action=permit
    netsh ipsec static add filterlist name=all
    netsh ipsec static add filter filterlist=all srcaddr=any dstaddr=any protocol=TCP
    netsh ipsec static add filter filterlist=all srcaddr=any dstaddr=any protocol=UDP
    netsh ipsec static add rule name=B_all policy=Windows_Center filterlist=all filteraction=m_block
    netsh ipsec static add filterlist name=Intrannet_3389
    netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=192.168.0.0 srcmask=24 dstaddr=Me dstport=3389 protocol=TCP
    netsh ipsec static add rule name=P_3389 policy=Windows_Center filterlist=Intrannet_3389 filteraction=m_permit
    netsh ipsec static set policy name=Windows_Center assign=y

    but after I run all the command in a bat file , i even can not telnet 3389 on my server , I checked the command on windows server 2003 and it had no problems
    anyone who can help me have a try and find why the above commands can not take effect on windows 2008 sp1 ?
    thanks a lot ~

    DB:2.62:Windows 2008 Netsh Configure Ipsec But It Can Not Telnet zm

    Hi Barondai,
    I test your IPSec command with same result.
    I check the IPSec policy in gpedit.msc UI, find the default response filterlist not enabled in Windows_Center policy, select to enable it to fix your issue.

    Regards,
    Rick Tan

  • RELEVANCY SCORE 2.62

    DB:2.62:Code Signing Cert Security Settings ax


    Windows 2008 R2 Server, CA
    I've created a new Code Signing Cert and want to limit who can Enroll so I gave that group Enroll and Autoenroll under the Security tab.
    But do I still need to give authenticated users read rights?

    And should I automatically reenroll if a duplicate cert exists in AD?

    DB:2.62:Code Signing Cert Security Settings ax

    Hello,
    for CA you can ask the experts in
    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsBest regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • RELEVANCY SCORE 2.62

    DB:2.62:Create Client Certificate Fro Distribution Points And Site Servers ad


    We change from http to https. I followed steps from Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority (http://technet.microsoft.com/en-us/library/gg682023.aspx). we
    have 1 primary server with DP and 6 different DPs. Does means I need to deploy web server cert and client cert for all 7 DPs?

    DB:2.62:Create Client Certificate Fro Distribution Points And Site Servers ad

    I followed the steps request and export the client certificate for distribution points. It is fine when I went to DP properties to import the CA to the primary DP, however, when I imported 2nd DP, I got pop message said The certificate you specified
    is already in use. Are you sure you want to use this certificate?

  • RELEVANCY SCORE 2.62

    DB:2.62:Ipsec With Pki Problem xc



    Hi

    i configured IPSEC between two routers using PKI,third router is the CA server,every thing was fine until i shutdown the routers after starting the routers,there was no IPSEC tunnel. the CA server was disabled,i tried to enable it by the command no shutdown  i got this : % The configured CA cert is invalid - no matching keys or expired?

    any idea?

    DB:2.62:Ipsec With Pki Problem xc


    Hi

    i configured IPSEC between two routers using PKI,third router is the CA server,every thing was fine until i shutdown the routers after starting the routers,there was no IPSEC tunnel. the CA server was disabled,i tried to enable it by the command no shutdown  i got this : % The configured CA cert is invalid - no matching keys or expired?

    any idea?

  • RELEVANCY SCORE 2.62

    DB:2.62:Create Multiple Certificates On Windwos 2003 For Exchange 2007 sz


    I want to remove my existing cert and recreate the multiple cert for my new exhcange 2007 envirnoment. Cert server is on windows 2003 and exchange 2007 server is on windows 2008.
    Would anyone provide the guideline for help. thanks.

    DB:2.62:Create Multiple Certificates On Windwos 2003 For Exchange 2007 sz

    You could use the below command to get all the certificates in your exchange server:
    Get-ExchangeCertificate
    Please follow the belowsteps to create a new certificate in exchange 2007:
    http://technet.microsoft.com/zh-cn/library/aa995942(EXCHG.80).aspx
    additional information:
    http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates.htmlYour expertise never fails to impress!

  • RELEVANCY SCORE 2.62

    DB:2.62:Windows Server 2012 R2 Rras L2tp/Ipsec Demand-Dial Cannot Connect Eap Using Certificate Authentication In Site-To-Site Scenario 99


    Windows Server 2012 R2 RRAS l2tp/ipsec demand-dial cannot connect EAP using certificate authentication in site-to-site scenario with other Windows 2012 R2 RRAS
    Same issue was with Windows 2008/2008R2... for the Windows 2008 had KB2200118 hotfix that resolved the issue
    Need KB2200118 for Windows 2012 R2......

    DB:2.62:Windows Server 2012 R2 Rras L2tp/Ipsec Demand-Dial Cannot Connect Eap Using Certificate Authentication In Site-To-Site Scenario 99

    Hi,
    In the case of EAP-TLS, the calling router's credentials consist of a user certificate that is validated by the answering router. EAP-TLS requires a public
    key infrastructure (PKI) to issue and validate certificates.
    But since windows server 2012r2 is a new product, I didn’t find a hotfix too.
    As a workaround, maybe you can choose another authentication method.
    Demand-Dial Routing Security
    http://technet.microsoft.com/en-us/library/cc957963.aspx
    Thank you.

  • RELEVANCY SCORE 2.62

    DB:2.62:L2tp Wont Connect Using Certificates dd


    I just got Windows Server 2008 through the DreamSpark program. I'm trying to learn about L2TP but cannot get it working! I am able to connect to my server using PPTP as well as L2TP using PSK. However, no matter what I do, I keep getting an error that a valid certificate cannot be found on the client if I try connecting using certificates. My server has both AD DS and AD CS Enterprise installed on it. What I did was request an IPSec cert on the server. Then I logged into my domain from this laptop and requested a User cert from my CA. From what I've read this should do it, but it keeps saying Error 781: No valid certificate found. What am I doing wrong?

    DB:2.62:L2tp Wont Connect Using Certificates dd

    I've tried that link before, and I tried it just now with no luck. Here are how my certs are set up on each computer. Client (Under Local User) Issued by: mydomain -myservername -CA 1 certificate Encryping file system, Secure Email, Client Auth Server (Under Local Computer) Issued by: mydomain -myservername -CA   I have 3. One issued by the CA. One I requested as a domain controller template. And a third I've requested with an IPSec template. This is really frustrating

  • RELEVANCY SCORE 2.62

    DB:2.62:Help! Cant Get A Winrm Https Listener Created. z3


    I'm working on deploying WinRM through out my company's Infastructure and would like to be able to send tasks to multiple servers from a single 'control' server (Fan-Out). This will be havily scripted and I would prefer to keep from using passwords and would
    rather rely on certificate based authentication. Trying every guide and know-how I've come across so far has still brought me to a dead end.
    To enlist your help, I've deployed a brand new Server Core 2008 R2 Datacenter server. and gotten as far as the steps listed below.
    if anybody can help me out with the rest in a replicable fashion, it would be greatly appreciated.
    -------------------
    $ sconfig
    : 1 W(orkgroup) DCOMPANY
    : 2 2k8core restart
    : 4 1 (Enable MMC Remote management)
    : 4 2 (Enable Windows PowerShell) restart
    : 6 All Updates Installed restart
    : 9 Set system clock to COMPANY NTP server

    $powershell
    PS set-wsmanquickconfig -force
    PS set-item wsman:\localhost\Service\Auth\Basic true -force
    PS set-item wsman:\localhost\Service\Auth\Certificate true -force

    [host01] nsn -cn 2k8core -cred 2k8core\Administrator

    [2k8core]: PS

    [2k8core]: PS dism /online /enable-feature /featurename:NetFx2-ServerCore
    [2k8core]: PS dism /online /enable-feature /featurename:NetFx3-ServerCore
    [2k8core]: PS dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64
    [2k8core]: PS dism /online /enable-feature /featurename:NetFx3-ServerCore-WOW64
    [2k8core]: PS mkdir C:\cert

    Download Windows 7 SDK to C:\cert
    http://www.microsoft.com/download/en/details.aspx?displaylang=enid=3138

    [2k8core]: PS C:\cert\winsdk_web.exe
    [2k8core]: PS $env:path = C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin

    Create new Cert Request INF (2k8core.inf)
    ###############
    [NewRequest]
    Subject=CN=2k8core
    Exportable=True
    KeyLength=2048
    MachineKeySet=TRUE
    FriendlyName=2k8core
    KeySpec=1
    ProviderName=Microsoft RSA SChannel Cryptographic Provider
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1
    OID=1.3.6.1.5.5.7.3.2
    ###############

    [2k8core]: PS certreq -new C:\cert\2k8core.inf C:\cert\2k8core.req

    ---------------------
    So, at this point. I can connect VIA WinRM Basic Authentication to my 2k8core server and would like some help in moving forward.
    I have a 2008 based CA in my infastructure with a CA Root cert that is valid for Certificate Signing.
    I was under the impression that all I need to do at this point is submit my 2k8core.req to my CA, Then install the CA cert into 2k8core's machines 'root' store, and the '2k8core' cert in 2k8core's machine 'my' store.
    No matter how many ways I've tried this, Set-WsManQuickConfig -UseSSL -force Still fails saying that it can't find a valid certificate.
    Any assistance or advice would be GREATLY appreciated.

    Thanks!

    DB:2.62:Help! Cant Get A Winrm Https Listener Created. z3

    Alllllllright! One step down the road!
    I was able to get a https listener created on the server with the following steps.

    [server] 1. Install IIS7 Resource Kit
    [server] 2. SelfSSL /V:60 /T
    *At this point I am able to verify that there is a self-signed certificate with valid key usage for 'server authentication' in the localmachine 'my'
    and 'root' stores.
    [server] 3. ls cert:\localmachine\my (Copy Certificate Thumbprint)
    [server] 4. winrm/config/listener?Address=*Transport=HTTPS @{Hostname=[server];CertificateThumbprint=[paste from step 3]}

    After this, I was able to connect from a client machine like so

    [client] 1. $so = New-PsSessionOption -SkipCACheck
    [client] 2. etsn -cn 2k8core -cred 2k8core\Administrator -Usessl -SessionOption $so
    [client] 3. [2k8core]: PS

    So. I am now able to sucessfully connect WinRM over SSL.

    On to the next step. Using Certificate based authentication. Any clues?