Certificates for IPSEC vpn clients in ASA 8.0
Hello!
I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.
Same configuration does not work with ASA 8.0 I get error
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Found a suitable authenticated trustpoint CA1.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage
(40)
CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve
revocation status if necessary
ERROR: Certificate validation failed. Peer certificate key usage is invalid, ser
ial number: 250F3ECE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=
xx
CRYPTO_PKI: Certificate not validated
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
The CA enrollement is terminal.
THANKS!
The cert needs to have the Digital Signature key usage set.
Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.
To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:
crypto ca trustpoint
ignore-ipsec-keyusage
Similar Messages
-
Configurate cisco ipsec vpn client at asa 5505 version 8.4
Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
thank you.are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
what version of vpn client ? -
Support IPSec VPN Client in ASA Multiple Context Mode
I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
"IPsec sessions—5 sessions. (The maximum per context.) ". Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out. I'll appreciate anyone who can clarify it.
Thank Jason.
( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)This is from the v9.3 config-guide:
Unsupported Features
Multiple context mode does not support the following features:
Remote access VPN. (Site-to-site VPN is supported.) -
User from certificate with Cisco VPN client and ASA (and radius)
Hello,
we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
Thanks!
Santiago.mrbacklash wrote:
Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
Message was edited by: BobTheFisherman -
Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again. -
Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs
Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again. -
Certificate authentication for Cisco VPN client
I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.Dear Doug ,
What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml -
IPSEC VPN clients can't reach internal nor external resources
Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
translate_hits = 5402387, untranslate_hits = 1519419
## Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
object network vpn_nat
nat (outside,outside) dynamic interface
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****Hi,
I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
asa# show capture capo
12 packets captured
1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
asa# show capture capi
8 packets captured
1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
Packet-capture.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.32.1 255.255.255.255 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Additional Information:
Static translate 10.0.0.72/0 to 10.0.0.72/0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5725528, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2
This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working
Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...
Hi Guys
I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
Also want to be able to set logging to debug mode for the Racoon application on mac clients.
Your help is much appreciated
Kind Regards
MohamedHi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
AAA static IP address for RA VPN Client
Hi,
my vpn group and VPN POOL is locally created in Cisco VPN router but users are authenticated through ACS, AAA server via TACACS. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.
My router is configured for TACACS+. I have checked the user configuration in AAA server to get the static ip address but it is not working. Please help me out how to do this. I cant change Router to Radius but this is my main router which is configured for 160 sites through ISDN and these sites also configured for TACACS+.
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group Aviation-VPN
key egntosc
pool aviation-pool
acl avi-tunnel
save-password
netmask 255.255.255.0
crypto isakmp profile vpnclient
match identity group Aviation-VPN
client authentication list default
isakmp authorization list Aviation-authorization
client configuration address respond
crypto ipsec transform-set aviset esp-3des esp-sha-hmac
crypto dynamic-map avi 10
set transform-set aviset
set isakmp-profile vpnclient
reverse-routeSince you're using ACS, I believe the way to do this is to
go into ACS, and select the username of the user that you want
to get the static IP. Under that user's setup, there is an option to
always assign the same IP. Just select that and enter the IP you
want them to get. - chris -
Issuing certificates for user and clients from different forest/domain
Hello,
at first I would like to say that I have made some researches on this forum and in the Internet overall.
I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest,
now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
see all templates which I should see, but when I try to enroll I got an error:
(translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
My root CA cert is added to trusted publishers for computer and user node as well.
What could be wrong? If you have any ideas or questions, please share or ask.
Thank you in advance.Everything is clear, I have Certificate Enrollment Web Services installed and configured,
problem is what i get from certutil - TCAInfo
================================================================
CA Name: COMPANY-HATADCS002-ISSUING-CA
Machine Name: COMPANYClustGenSvc
DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
NotAfter: 2019-02-14 12:44
Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
Enterprise Subordinate CA
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
NotBefore: 2014-02-14 12:34
NotAfter: 2019-02-14 12:44
Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
Serial: 618f3506000000000002
Template: SubCA
9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 02:
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
ThisUpdate: 2014-02-14 12:16
NextUpdate: 2024-02-15 00:36
d7bafb666702565cae940a389eaffef9c919f07a
Issuance[0] = 1.2.3.4.1455.67.89.5
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
NotBefore: 2014-02-14 11:55
NotAfter: 2024-02-14 12:05
Subject: CN=HATADCS001-COMPANY-ROOT-CA
Serial: 18517ac8a4695aa74ec0c61b475426a8
b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Issuance[0] = 1.2.3.4.1455.67.89.5
Exclude leaf cert:
5b309c67a8b47c50966088a4d701c8526072c9ac
Full chain:
413b91896ba541d252fc9801437dcfbb21d37d91
Issuer: CN=HATADCS001-COMPANY-ROOT-CA
NotBefore: 2014-02-14 12:34
NotAfter: 2019-02-14 12:44
Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
Serial: 618f3506000000000002
Template: SubCA
9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Supported Certificate Templates:
Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
Validated Cert Types: 7
================================================================
COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
Enterprise Subordinate CA
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Online
CertUtil: -TCAInfo command completed successfully.
please put some light on it because it's driving me crazy :/
Thanks in advance
one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding
"A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)" -
Generate Certificates for WLC and clients
Hi Guys
I've been working acording the following document to integrate my WLC 5508 with LDAP for internal users:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
However when I try to generate the device certificate on Windows Server 2012, I see the steps are different, for example when I reach the step 4 (of Generate a Device Certificate for the WLC section), the CA ask me for a Certificate Signing Request instead of Create and submit request to this CA option, as appears in the document.
How do I get this?
Thanks in advance for your support!
MarceloHi,
If you are trying to get a device certificate for WLC, then you may need to use 3rd party software like openSSL for this.
Below post may help you to see how you can do this
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
HTH
Rasika
*** Pls rate all useful responses **** -
Certificates for Server and Client to install . Pls advice
I am doing File --XI --- File scenario with FTPS.
Currently consider only File -- XI part now.
We go point by point: for this link:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
Blog says:
1. In the visual admin of XI make Server Public and Private keys.
2. In the visual admin of XI make Client Public and Private keys.
Suppose File Sender System is Server and XI is Client
Questions:
a. Do I need make Server Public and Private keys In the visual admin of XI ?
b. Do I need make Client Public and Private keys In the visual admin of XI ?
Generic Rule -- system1 sends its public key to system2 and similarly system2 sends its public key to system1.
c. For Export keys and Import keys as given in blog
-- I am not able to get this part given from Page 38 - 41 of this blog.
Pls advice me
Regards
Edited by: Henry A on Mar 3, 2008 1:07 PM
Edited by: Henry A on Mar 3, 2008 1:08 PM
Edited by: Henry A on Mar 3, 2008 1:54 PMHi DecaXD,
thank you for quick response :)
on the client site i tried to establish the connection to the work repository with the following connection information:
Login information*:
Oracle Data Integrator Connection
Login name = odi_server
User = SUPERVISOR
Database connection (Master Repository):
User = odim
URL = jdbc:oracle:thin:@<server ip>:1521:orcl
A work repository could be found, but the connection failed! (?!)
" ODI-26130: Connection to the repository failed.
oracle.odi.core.config.NotWorkRepositorySchemaException: ODI-10147: Repository type mismatches.
Could not get JDBC Connection; nested exception is java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Invalid SQL-Query for validating the connection (+translated from german into english+) "
my ODI configuration on the server site (loged in as: odiw):
topology tab*:
Physical architecture:
Technology:
Definition:
Dataserver name = oracle_db_11gr2
User = odiw
JDBC-URL = jdbc:oracle:thin:@10.168.178.131:1521:orcl
Datasource:
Agent = OracleDIAgent
JNDI-Name = [DataSourceName]
Agents:
Definition:
Name = OracleDIAgent
Host = <IP of the server>
Port = 8001
Webapplicationcontext = oraclediagent
Datasources:
Dataserver = oracle_db_11gr2
JNDI-Name = [DataSourceName]
Logical architecture:
Technology:
Defintion:
Name = oracle_db_11gr2
Context = aMIS_dev
Physical schema = oracle_db_11gr2.ODIW
Agent:
Name = OracleDIAgent
Context = aMIS_dev
Physical agent = OracleDIAgent
when i test the connection of the data server (topology>physical architecture>technology>oracle>oracle_db_11gr2) with the OracleDIAgent i receive the
" ODI-26039: Connection failed.
oracle.odi.runtime.agent.invocation.InvocationException: javax.naming.NameNotFoundException: Unable to resolve '[DataSourceName]'. Resolved ''; remaining name '[DataSourceName]' "
since testing the connection on the server site failed in first place, i couldn't test the connection on the client site. -
Windows Domain Controller certificate for non domain clients
Hi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
RegardsHi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
Not sure that what you want to achieve here.
However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Maybe you are looking for
-
I've been subsribing to a podcast through iTunes for years with no problems, but today I get the error message: "There was a problem downloading (podcast name). Authorization is required to access (url feed)" Its a BBC podcast and I now get the same
-
ITunes 10.5 breaks automator folder action
Just like itunes10 did osx 10.6.8 itunes 10.5 automator folder action with itunes tasks no longer works after 10.5 update. Is it the version check again?
-
HP Laser Printer Showing Offline since Update
Just downloaded the Printer software update for my OSX10.6 and now my HP 1320 Laser Jet will not print. I am just connected directly to my computer with USB It keeps showing it is "Offline". I have tried everything to troubleshoot. Is this something
-
Static image looks fine in media pane but renders with problems
I have a project in which I am placing a few static JPGs over the video portion for a few seconds at a time here and there to illustrate certain things a speaker is touching on. The JPGs are usually not quite big enough to cover the entire frame of t
-
hello, I need to cancel technical completion for an order with BAPI BAPI_ALM_ORDER_MAINTAIN, How can I call this ? Could you please help me ? Thanks