802.1x ISE with computer certificates

Similar Messages

• Access connection​s 5.50 and EAP TLS with Computer certificat​e

  Hello,
  I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
  I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
  OS is windows XP with SP3 and all the windows update (as of today).
  On my Radius server this is what I get:
  If I use WZC I get this in the authentication:
  Security ID: DOMAIN\R61WXP$ (this is my computer name)
  Account name: host/R61WXP.domain.local
  Account Domain: DOMAIN
  FQDN: DOMAIN\R61WXP$
  When I use Access Connections:
  Security ID: DOMAIN\Guest
   Account name: 
  Account Domain: DOMAIN
  FQDN: DOMAIN\Guest
  My Access connection profile is set this way:
  IEEE802.1x => Authenticate as Computer when the information is available.
  I hope someone can help !
  Thanks!

  Hi,
  try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
  Make also sure, that the profile connection is correctly configured in the AC profile settings.
  This mighe the the root cause.
  I can tell you, that there must be something missconfigured, as this configuration will surelly work .
  Cheers

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan

• 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

  I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
  We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
  I push out the wireless client’s setting via group policy, and the clients are using WZC. 
  Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. 
  To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
  Many of our classrooms lack network drops, so wireless is the best for us. 
  Except for this one downfall, it is working great. Any help is appreciated.

  Hi Ryan,
  Thanks for posting here.
  Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. ”
    in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
  Only certain computers are facing this issue or all?
  What’s OS running on these client computers?
  According the situation right now , I’d like to share some suggections with you:
  1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
  the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
  click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
  of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
  2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
  event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
  dialog.
  3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
  settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
  4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
  an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
  if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
  If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
  authentication.
  5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
  authentication process the failure occurs.
  Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
  Windows Server 2003 Wireless Troubleshooting
  http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
  Troubleshooting Windows Vista 802.11 Wireless Connections
  http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
  Thanks.
  Tiger Li
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
  It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
  I checked if logging is turned on and I can see successful events from computers that are working. 
  I can also see failed events from computers that are not ours that tried to connect to our wireless. 
  However for the computers that are having this problem there are no logged events. 
  It is as if they don’t even communicate with the server. 
  Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
  I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
  I did notice that the firewall is also turned on through group policy when the domain is not available.
     Do you think the firewall is blocking the communication? 
  I added an exception to port 1812 UDP and this did not make a difference.

• Win XP - 802.1x Supplicant Behaviour with SmarCard/Certificate

  I am trying to implement Cisco's AuthFail VLAN functionality on a Catalyst 3560. It works fine with PEAP but does not work with SmartCard/Certificate (EAP-TLS) as the 802.1x protocol.
  Please note that in my scenario I expect the authentication to fail and such users to be automatically moved to the AuthFail VLAN by the switch.
  I have noticed that with Smartcard/certifcate is selected as the EAP type in XP, the supplicant only initiates 802.1x process locally on the machine but does not send anything to the switch. I dont have any certificates on the machine, neither user nor machine. The process always initiates when the cable is connected to a protected port but then dies with the message like "Windows is unable to find a certificate to log you on to the network". There is no failure log on the ACS, hence the request is not even being forwarded to ACS so I guess the switch is not receiving it from the XP client.
  Only if I select the check box "Authenticate as guest when user or computer information is unavailable" that I get failure messages on ACS and the port is moved to AuthFail vlan after configured attempts.
  Does anybody know if there is a fix or patch for this XP behaviour? The reason it is important is that in XP smartcard/certifcate login is set by default if 802.1x is enabled. Hence any visitor or guest with 802.1x turned on, will by default have this setting.
  Thanks.
  MAG.

  Hi,
  the default behavior for Windows XP machine is the following:
  - 802.X enabled
  - EAP type is EAP-TLS
  - No certificate is available (for user or machine)
  - No EAPoL-Start messages are sent (a registry change is required for that).
  If the goal is provide Guest Access in such scenario, the Auth-Fail VLAN won't help since the authentication attempts never fail (as you mentioned). This is because the Windows client can be considered "smart enough" in this case to avoid replying to the Identity-request messages sent by the switch once it realizes there are no valid certificates installed.
  What I'd recommend in this scenario is then to leverage the 802.1X Guest VLAN feature, configuring it with the same value of the Auth-Fail VLAN. In that way, no matter if the autentication fails or it is not preformed (as in this case), the user will be deployed in the same VLAN anyway.
  Hope this helps,
  -Max

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• Setting up eth0 with 802.1X security and a certificate

  Hello,
  I`d like to ask for some help...
  I`m living in a building owned by my university and they have rules about the internet connection. Everything was fine using ubuntu, I just entered a window and filled the form in the 802.1X security tab, username, password, certificate. clicked connect -> DONE
  Now in a hope to learn more about linux I`m trying to get arch linux working, but the first problem I`ve encountered is that I can`t get the connection running...
  So please, could you instruct me what to do?
  I need to set up a connection, let`s call it eth0 for simplicity, and I need to have IPv4 enabled, IPv6 disabled, 802.1X security with a username, password some kind of a Add_Trust.... certificate, let`s call it just cert.pem for simplicity. And I have only the command line interface like... you know, 5  seconds after installing the base and rebooting...
  Thank you very much

  Forum search and google are your friend.
  https://bbs.archlinux.org/viewtopic.php?id=72799
  https://wiki.archlinux.org/index.php/Ne … figuration
  https://wiki.archlinux.org/index.php/WPA_supplicant

• How to access 802.1x authentication wired nework with digital certificate?

  How can I access 802.1x authentication wired network with digital certificate?
  I can access the network in windows with the following configutaion:
  BUT in my lion, I had import the digital certifacte. While I connected to the network, I was prompted:
  Enter the name and password for this 802.1X network
  I could not get the opportunity to select my digital certificate? But my colleague can.
  iPhone Configuration Utility seemed to provide wireless 802.1X authentication configuration file . And in my work background, most people use the windows. And there isnot a lion server to provide a configuration file.

  Dear Rune,
  Thank you for reaching Small Business Support Community.
  If you have already followed the 802.1X Supplicant configuration described in page 112, chapter 6, on the admin guide;
  http://www.cisco.com/en/US/docs/wireless/access_point/csbap/wap121/administration/guide/WAP121_321_AG_en.pdf
  All I can suggest you is to make sure you are running on the latest firmware release version 1.0.4.2;
  http://software.cisco.com/download/release.html?mdfid=284152656&flowid=32563&softwareid=282463166&release=1.0.4.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  And then contact the Small Business Support Center to have a TAC engineer figure this out;
  https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• What do I need the Computer certificate for in an Active Directory domain? Theoretical Inquiry

  So we are trying to clean up the thousands of certificate we have deployed.  We are on a 2008 R2 Active Directory and have been using certs for about a decade.  With all of our machines auto enrolling in Computer certificates and renewing every
  year we have maybe 50,000 certificates, yes some are expired already but its a nightmare to manage.  So what do we need the Computer certificate on all the Windows machines for anyway, some are XP most are Windows 7.
  Is the Computer certificate required for Kerberos authentication?
  If we don't need it I rather stop publishing the Computer template and simplify our lives.
  Please explain (I am not new to PKI, though this question may make me seem like a novice) I get the Web Certs, EFS, etc.

  Computer certificates are not needed for Kerberos authentication.
  They are typically used for 802.1x WLAN or wired authentication, or they might be used for VPN logon. Then you might used them for IPsec / "domain isolation" or perhaps DirectAccess or related solutions by other vendors.
  So they are needed for some sort of "network isolation" but they are not required for default AD operations. With some the mentioned scenarios (e.g. 802.1x / IPsec) you have the choice to pick either certificates or other credentials.
  Elke

• Require Computer Certificate And user credentials

  Hi All,
  I'm trying to test 802.1x authentication in a lab environment with some standalone 1131AGs and a Server 2008 R2 NPS server. I've been able to set up a few different scenarios but none have met all my requirements:
  Scenario 1:
  Laptops in the domain automatically get certs from a GPO
  Laptops in the domain automatically get an SSID configured from a GPO
  Laptops in the domain automatically authenticate using their computer certificate.
  Problem:
  I can't add non-domain computers to this network. I've tried installing computer certs using Windows 2008 R2's certsrv CA web portal but these types of certs don't seem to work.
  Scenario 2:
  Same as below except I provide non-domain computers with a user certificate which they can request through Windows 2008 R2s certsrv CA web portal.
  They can connect BUT they can export the private key and put it on other devices or give it to their friends, etc.
  I'd like to figure out a way to ensure certificates can't be exported or at least require a user cert and a username and password to get onto the wireless network. Is this not possible with EAP-TLS or PEAP-TLS?
  Thanks!

  Yon,
  Moving this to AAA forum.
  Thanks,
  Vinay Sharma
  Community Manager - Wireless
  Cisco Support Community

• 802.1X EAP-TLS User Certificate Errors

  I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers).  I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
  Authentication.  However, when authentication mode is set to "User or Computer" or just "User" it fails.  I get a "certificate is required to connect" pop up and it's unable to connect.
  No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see.  It seems as if there is a problem with the client certificate:
  [236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
  [236] 06-04 09:26:35:720:  Self Signed Certificates will not be selected.
  [236] 06-04 09:26:35:720: EAP-TLS will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
  [236] 06-04 09:26:35:720: PEAP will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
  [236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
  [236] 06-04 09:26:35:720: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  Also, in the event viewer I get the following:
  Wireless 802.1x authentication failed.
  Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
  Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
  Local MAC Address: C4:17:FE:48:F2:79
  Network SSID: *****
  BSS Type: Infrastructure
  Peer MAC Address: 00:12:17:01:F7:2F
  Identity: NULL
  User: presentation
  Domain: ****
  Reason: Explicit Eap failure received
  Error: 0x80420014
  EAP Reason: 0x80420100
  EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
  I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS.  I modified the "Subject Name" to "Build from Active Directory information".  "Subject Name Format" is set to "Fully Distinguished Name" and "User
  Principal Name (UPN) is checked.  All other boxes are cleared.  I verified that certificates for both user, computer , and root CA are all correctly auto enrolled.  I also verified that the user certificate
  exists in the "Personal" user certificate store on the client.
  There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything.  Please help!

  Hey,
  I am precisely in the same situation now. I have  a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
  when I use the user certificate it doesn't work. Both  user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
  personal stores.
  I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
  [6472] 12-10 13:39:04:327: DwGetEKUUsage
  [6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
  [6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  [6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
  [6472] 12-10 13:39:04:327:  Self Signed Certificates will not be selected.
  [6472] 12-10 13:39:04:327: EAP-TLS will accept the  All-purpose cert
  I am stuck at it for last few days with no real cause known as yet.!
  Any help will be thoroughly appreciated!!!

• Unable to enroll Computer certificates on Server 2008 R2 and older

  I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer
  certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still
  works.
  I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks
  > Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates
  I want are listed with:
  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this
  operation, or the CA is not trusted."
  I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that
  the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.
  Any ideas?
  Thank you!

  Hi Amy.
  Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.
  I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.
  I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I
  went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.
  We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012
  on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.
  Alan

• Computer certificates expiring within 6 weeks disappearing from machines when computer certificates from two certificate authorities are present

  2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
  2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
  Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
  but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
  authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
  A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
  can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
  The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.

  You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
  to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
  problems.
  What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
  will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• Problem witch Anyconnect - Reading computer certificate

  Hi everyone.
  We are having an issue with our Windows 8.1 domain computer and Anyconnect.
  We have deployed computer certificates to all our domain computers, and use them for our wireless networks, which works great.
  When Anyconnect is started as a domain user, it wont allow us to connect using the machine certificate. We get an error message saying: "Certificate validation failure" and the message history says: "No valid certificates available for authentication". 
  If we run anyconnect as an administrator, there are no problems, and the connection is established right away.
  We have tried giving domain users read access to: HKLM\software\microsoft\systemcertificates, but it didn´t help.
  We have tested the same setup on OSX Yosemite, and there it works fine.
  We have had succes deploying a user certificate to the user(Windows 8.1), but we will prefer using the computer certificate.
  Any ideas? If you need more information, please let me know.
  Best Regards

  From: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html
  "In the Preferences (Part 1) pane of Profile Editor, use the Certificate Store list box to configure in which certificate store AnyConnect searches for certificates. Use the Certificate Store Override checkbox to allow AnyConnect to search the machine certificate store for users with non-administrative privileges."
  Rob.

• ISE with two PKI enterprise servers

  Hi,
  I have to install Cisco ISE for one of my customer.
  this customer has two enterprise PKI.
  one PKI deliver a certificate for a group of user and the second PKI deliver a certificate for the others user.
  In this case how to do? do have need to add the two enterprise pki certificate in each Cisco ISE? the ISE need to have
  two certificates one from each PKI server?
  what I have already done is to configure cisco ISE with only one enterprise PKI.
  Guy charles

  Do both users group trust each of the enterprise CA certs?
  No, but I can ask to the customer to do it if it is a right solution.
  Are the two user groups in the same ad environment and are you planning on differentiated access based on AD groups?
  the two user groups are in the same ad environment, yes i am planning to do access based on ad groups.