EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

Similar Messages

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Hi guys,
  I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
  I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

• Error: "failed to load book because the requested resource is missing"

  I book a book via the iPad. The book appeared in my library no problem with the "new" tag and stuff, but when I tap it to read I get an error "failed to load book because the requested resource is missing." Any ideas? I'm on the road, so I haven't synced or backed up or anything..
  I've also verified that I have a good connection, etc. I'm able to hit the "store" button and browse the store no prob, as well as web, etc.
  Any thoughts?

  I believe I may have the answer to these many concerns. 
  When a book is over 20 or so megs, iBook will sometimes make an attempt to download on the iPad (when it should not). This causes problems. Perhaps the one you are experiencing. Therefore you have to wait until you are on a wifi connection before purchasing dictionary-like books. But if you've already made the mistake of downloading, theres no guarantee wifi will correct this. 
  What worked for me (like others have already mentioned) is that if you have an iphone or touch you can download it from there, sync with your computer and sync your iPad later. The book(s) will transfer just fine as long as you have this enabled on your devices.
  Initially this didn't work for me because in my frustration with a prior issue I took the liberty to create another iTunes account. Therefore iPad purchases were not visible on my phone. So be sure to have the same accounts activated on your devices and iTunes. 
  Yet even further diagnostics may need to be explored as I'm still prompted to provide my password every time i open iBooks (as if the download is still pending). Kinda afraid to revert to factory settings over a small issue. In the coming update Apple should fix these problems altogether. Hope this helps!

• Solution to error: "The operation cannot complete because of an unknown error. [CANT]" ???

  Hi,
  I'm working with Adobe Illustrator CS3 for Mac and suddenly the software started to prompt "The operation cannot complete because of an unknown error. [CANT]". I deleted my prefs and the problem is still present.
  Some times the machine freezes after this error.
  I'm performing normal operations, nothing that requieres large amounts of memory or so.
  The problem only happens in Illustrator.
  Any possible solution?
  thanks in advance.

  I have a MacBook Pro 15" 2.2 GHz. My hard drive has 50% of free space (80GB free)
  It was defragmented 2 months ago. No reports from SMART or any issues with directory. (tested with Drive Genius and Disk Warrior)
  I read in several posts about problem with scratch discs. My system has only one partition.
  Hope this info might be helpful.

• SSL (https) set up in ABAP - pop-up Request Client Certificate

  Hi,
  We just configured SSL in ABAP. Accessing the website that the certificate is assigned to results in a pop-up appearing in IE7 that states:
  The website you want to view requests identification. Please choose a certificate, with a blank screen.
  Can the server be set so that it does not prompt for the client certificate?
  Thanks, Neeta

  You will have to check the specific service (probably in SICF) to see if the Logon Procedure is set to 'Required with Client Certificate (SSL).' Is this for a BSP page?
  Hope that helps.
  J. Haynes

• ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

  Hello,
  Has anyone come across this error code before?  I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:
  I setup 7925 phones for EAP-TLS using MIC.  I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication".  A Certificate Profile is configured matching Common Name and is added to the Identity Sequence.    I got some additional attribute information, where there is a error message:
  OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"
  Anyone know what this error means?

  Yes,
  That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129
  Installing the Authentication Server Root Certificate
  The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.
  To install the certificate, follow these steps:
  Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.
  Step 2 Go to the phone web page and choose Certificates.
  Step 3 Click Import next to the Authentication Server Root certificate.
  Step 4 Restart the phone.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected]
  = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• CS6 Spell check error: The operation cannot complete because of an unknown error [CANT]

  Hi Everyone,
  Has anyone else encountered this error when trying to spell check? Is there a way around it?

  Hey,
  I had the same problem any time I tried to open .svg files. I resaved the files as .eps and they opened without issue.

• ISE EAP SSL/TLS Tunneling Certificates

  Hi,
  I am working on an ISE implementation that is going to perform authentcation accross several domains using LDAP. The domains that I have in my environment are a production and pre-production/testing domains. Currently my ISE appliances are joined to the production AD and are using certificates from the CA in our production AD. The problem I am having is I can only assign one Local Certificate for use for SSL/TLS tunneling for EAP authentcations. This means that when I try and authenticate a device that is not part of the production active directory (pre-production), using the seperate LDAP instance as an identity store, its attempting to create a tunnel using a cert that is not from the pre-production CA, and thus fails with the following error...
  Authentication failed :
  12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  This is because the device built in pre-production does not have the production CA's as trusted entites. My question is, is it possible to define multiple certificates from seperate CA's for use for SSL/TLS tunneling?
  Cheers

  Hello,
  This error means that the supplicant does not trust the ISE PSN certificate.
  Resolution:
  Check whether the proper server certificate is installed and configured for EAP
  by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ).
  Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more
  information.

• Enabled SSL + TLS

  Hello all,
  I'm a beginner in JavaMail, I have several question, can I use following case:
  SMTP + TLS + Authentication
  SMTP + TLS + without Authentication
  SMTP + Authentication + without TLS
  and
  SMTP + SSL + TLS + Authentication
  SMTP + SSL + TLS + without Authentication
  SMTP + SSL + Authentication + without TLS
  Because I have the following code, it's correctly work for send a mail with returned Transporter, but no with SMTP only, SMTP + SSL, SMTP + SSL + TLS.
  I have the following exception for example:
  javax.mail.MessagingException: Exception reading response;
  nested exception is:
  javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  Can you give me use properties and means to correctly use SSL and TLS ?
  Great thank !
  Best regards
  Adryen
  public static Transport getConnectedTransportForSending(String smtpServer, String username, String password, SmtpServerType protocolSec) throws MessagingException {
    Session session = null;
    Boolean isWithAuth = (username != null && !username.equals("")) && (password != null && !password.equals(""));
    Properties props = new Properties();
       String prefixMailSmtp = "mail.smtp";
    if (SmtpServerType.SSL.equals(protocolSec)) {
    //prefixMailSmtp += "s";
    useSSL(props, prefixMailSmtp);
          // props.put("mail.transport.protocol", "smtps");
    props.put(prefixMailSmtp+".port", "587");
    } else if (SmtpServerType.SSLTLS.equals(protocolSec)) {
    //prefixMailSmtp += "s";
    useSSL(props, prefixMailSmtp);
    useTLS(props, prefixMailSmtp);
           //props.put("mail.transport.protocol", "smtps");
    props.put(prefixMailSmtp+".port", "587");
    } else if (SmtpServerType.TLS.equals(protocolSec)) {
    useTLS(props, prefixMailSmtp);
    //props.put("mail.transport.protocol", "smtp");
    props.put(prefixMailSmtp+".port", "25");
    } else {
    props.put(prefixMailSmtp+".port", "25");
    //props.put("mail.transport.protocol", "smtp");
    props.put(prefixMailSmtp+".socketFactory.fallback", "false");
    if (smtpServer != null) {
    props.put(prefixMailSmtp+".host", smtpServer);
    if (isWithAuth) {
    Authenticator auth = new ServerAuthenticator(username, password);
    props.put(prefixMailSmtp+".auth", "true");
    session = Session.getInstance(props, auth);
    } else {
    session = Session.getInstance(props, null);
    Transport transporter = session.getTransport("smtp");
    transporter.connect(smtpServer, username, password);
    return transporter;
    private static void useSSL(Properties props, String prefixMailSmtp){
    props.put(prefixMailSmtp+".socketFactory.port", "587");
    props.put(prefixMailSmtp+".socketFactory.class", "javax.net.ssl.SSLSocketFactory");
    props.put("mail.smtp.ssl.enable", "true");
    private static void useTLS(Properties props, String prefixMailSmtp){
    props.put(prefixMailSmtp+".starttls.enable", "true");
    public static class ServerAuthenticator extends Authenticator {
    private PasswordAuthentication authentication;
    public ServerAuthenticator(String username, String password) {
    authentication = new PasswordAuthentication(username, password);
    @Override
    protected PasswordAuthentication getPasswordAuthentication() {
    return authentication;

  You can simplify your code by getting rid of the socket factory stuff.
  If you connect using SSL to begin with, there's no need to use "TLS" (by which I assume you mean the STARTTLS command that switches a plain text connection to an SSL/TLS connection).
  And of course whether you're required to use SSL or required to use STARTTLS or required to authenticate depends entirely on the configuration of the mail server.

• "Operation cannot be completed because of an unknown error." [CANT]

  This started happening with my Illustrator CC - everytime I start the program, it has the error "OPERATION CANNOT BE COMPLETED BECAUSE OF AN UNKNOWN ERROR. [CANT]"
  Anyone else have this same issue?
  Have the 2014 Macbook Pro w Retina Display | Yosemite
  Any advice is greatly appreciated.
  Thanks!

  Did you migrate the application or do a clean install? The more recent Adobe products don"t do well with migration. Uninstall, run the cleaner tool and reinstall is the usual remedy.

• 2-way SSL and access control using the client certificate

  Hi,
  I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
  Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
  - The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
  - The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
  - Validate whether the client should be trusted (via the list in the trusted credentials)
  - Check whether the resource should be granted based on the "username".
  The on-line manual says
  "If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
  "The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
  So the questions I have are:
  - If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
  - Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
  Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
  - Without defining the security policy for the application, the debugging messages show that
  getRoles(): input arguments: subject:0
  Entitlement - <Role:Annonymous with expr:Grp(everyone)>
  Any suggestions? Thanks.

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• Set-IRMConfiguration failed with error "Cou ld not establish trust relationship for the SSL/TLS secure channel."

  Hi, experts 
  I'm trying to configure a lab environment according tutorial http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part3.html
  After completing configuration, I execute cmdlet Set-IRMConfiguration -InternalLicensingEnabled $true, but get error
  The remote certificate is invalid according to the validation procedure. ---> The underlying connection was closed: Cou
  ld not establish trust relationship for the SSL/TLS secure channel. ---> Failed to get Server Info from https://exhv-65
  94/_wmcs/certification/server.asmx.
      + CategoryInfo          : InvalidOperation: (:) [Set-IRMConfiguration], Exception
      + FullyQualifiedErrorId : C810E449,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration
  Then I run cmdlet Test-IRMConfiguration -Sender [email protected] and get error
  Results : Checking Exchange Server ...
                - PASS: Exchange Server is running in Enterprise.
            Loading IRM configuration ...
                - PASS: IRM configuration loaded successfully.
            Retrieving RMS Certification Uri ...
                - PASS: RMS Certification Uri: https://server1/_wmcs/certification.
            Verifying RMS version for https://server1/_wmcs/certification ...
                - WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
            hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
             or AD RMS on Windows Server 2008 R2.
            Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
            //server1/_wmcs/certification/server.asmx. ---> System.Net.WebException: The underlying connection was clos
            ed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authenticatio
            n.AuthenticationException: The remote certificate is invalid according to the validation procedure.
               at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest async
            Request, Exception exception)
               at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
            Request)
               at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
               at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
            Request)
               at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
               at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
            Request)
               at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
               at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequ
            est asyncRequest)
               at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
               at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Obje
            ct state)
               at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
               at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
               at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
               at System.Net.ConnectStream.WriteHeaders(Boolean async)
               --- End of inner exception stack trace ---
               at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
               at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
               at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
               at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
            uests)
               at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
               --- End of inner exception stack trace ---
               at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
               at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
            rviceType serviceType)
               at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
            OVERALL RESULT: PASS with warnings on disabled features
  From the error message, this issue seem to related with SSL/TLS connection. So I go back to check configuration and find out a difference to tutorial. Current SCP url is https://server1/_wmcs/certification, but in tutorial it is https://server1:433/_wmcs/certification.
  On my opinion, I don't think it is the real reason.
  So, how can I resolve this error? Could you give me some suggestion? Thanks in advance.
  System Info:
  Windows Server 2008 R2 + Exchange Server 2010 SP3 RTM

  Hi
  Please have a try with the solution on this KB article
  “Error message when you try to test access from the Microsoft Dynamics CRM E-mail Router: "Incoming Status: Failure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"”
  http://support.microsoft.com/kb/954584/en-us
  Cheers
  Zi Feng
  TechNet Community Support

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain