Dave
Wed May 07 13:55:22 PDT 2008
Have you checked eventid.net for that error?
http://eventid.net/display.asp?eventid=15&eventno=1397&source=AutoEnrollment&phase=1
"Noncentz" <Noncentz@discussions.microsoft.com> wrote in message
news:7673B7BF-6EFE-4CF1-BB23-D974C882A1A3@microsoft.com...
>I do not have ISA 2004 although I wish I had..... The autoenrollment error
>I
> get though "error 15"
>
> Automatic certificate enrollment for local system failed to contact the
> active directory (0x8007054b). The specified domain either does not exist
> or
> could not be contacted. Enrollment will not be performed.
>
> Which ive been told to be a DNS error although ive about ruled that out.
> All
> the test equipment I have is also connected to the Wired Lan to recieve
> the
> certificate then tested on wireless. I did read this error though
>
> -------------------------------------------------
> From a newsgroup post:
> "Based on my research, when you install a CA, on a machine that is running
> Windows 2003, it should automatically create a group called
> CERTSVC_DCOM_ACCESS and enroll all the domain controllers as members of
> this
> group. I suspect that this was not happening and hence the auto enrollment
> was failing. At this point, I suggest you run the following command on the
> problematic Windows 2003 Server:
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG.
> After this stop and start the certsvr service by using the following
> commands:
> net stop certsvc
> net start certsvr
> The steps above will create the group and then you can add the DCs as
> members of the group. If the group already exists, then simply add the DCs
> as
> members of the group".
> --------------------------------------------------
> So what I have done is to find that group and add my domain Controllers to
> the group. But I cant quite test yet because I dont know how to force a
> machine to update its certification. I will let u know
>
> "Dave Nickason [SBS MVP]" wrote:
>
>> Do you have ISA 2004? If so, that's what's causing the auto enrollment
>> failures - you need to turn off strict RPC compliance in the system
>> policies.
>>
>> Have you tried booting these machines while connected to the wired
>> network?
>> AFAIK you have to get the certificate enrolled once over wired before it
>> will work for wireless. What happens if you boot while connected to
>> wired -
>> do you still get the auto enrollment error?
>>
>>
>> "Noncentz" <Noncentz@discussions.microsoft.com> wrote in message
>> news:7836297C-39E7-43B8-9C60-176574A64505@microsoft.com...
>> >I have checked a couple of user machines.. the have all failed
>> >autoenrollment
>> > but have the cert. Here is the common error that I get:
>> >
>> > Automatic certificate enrollment for local system failed to contact the
>> > active directory (0x8007054b). The specified domain either does not
>> > exist
>> > or
>> > could not be contacted.
>> > Enrollment will not be performed.
>> >
>> >
>> > "Dave Nickason [SBS MVP]" wrote:
>> >
>> >> When the client PC boots, does it log any auto enrollment errors in
>> >> its
>> >> application log? I know you've verified the correct certificate is
>> >> installed, but that Guest thing is weird - not something I've seen
>> >> before.
>> >>
>> >> Do you run ISA 2004? In its default configuration, that blocks
>> >> certificate
>> >> auto enrollment. I'm pretty sure the fix for that is included in
>> >> Owen's
>> >> white paper.
>> >>
>> >>
>> >> "Noncentz" <Noncentz@discussions.microsoft.com> wrote in message
>> >> news:ABB41361-90AD-4DBD-B72C-DF6BAB215D1B@microsoft.com...
>> >> > Dave,
>> >> >
>> >> > I turned both boxes on and I check my System Log and whammo....
>> >> > nothing.
>> >> > Guess that means im not gettin anything so it must be my client or
>> >> > router.
>> >> > I
>> >> > did get this error in the Application log though
>> >> >
>> >> > From IAS:
>> >> > The description for Event ID ( 2 ) in Source ( IAS ) cannot be
>> >> > found.
>> >> > The
>> >> > local computer may not have the necessary registry information or
>> >> > message
>> >> > DLL
>> >> > files to display messages from a remote computer. You may be able to
>> >> > use
>> >> > the
>> >> > /AUXSOURCE= flag to retrieve this description; see Help and Support
>> >> > for
>> >> > details. The following information is part of the event:
>> >> > %%2147483686,
>> >> > MCCOYSALES\Guest, 10.10.0.115, 001d7ea04513, 001d7ea04513,
>> >> > 001d604008fa,
>> >> > LinksysAP, 10.10.0.115, Wireless - IEEE 802.11, 50, Use Windows
>> >> > authentication for all users, %%2147483688, %%2147483685,
>> >> > %%2147483685,
>> >> > EAP,
>> >> > %%2147483685, 34, %%4130.
>> >> >
>> >> > The part i noticed was the "MCCOYSALES\Guest 10.10.0.115" which is
>> >> > my
>> >> > domain
>> >> > and AP but its under guest, i dont really know why it would tag that
>> >> > AP
>> >> > with
>> >> > guest but ??? either way thanks for the quick reply, still
>> >> > dissecting
>> >> > the
>> >> > issue
>> >> >
>> >> > Noncentz
>> >> >
>> >> > "Dave Nickason [SBS MVP]" wrote:
>> >> >
>> >> >> Go into IAS and at the top left, r-click "Internet Authentication
>> >> >> Service
>> >> >> (Local)" -> Properties. Check the two boxes to enable success and
>> >> >> failure
>> >> >> logging. After a login attempt fails, check the System log on the
>> >> >> SBS
>> >> >> to
>> >> >> see if IAS logged the connection attempt. If so, you might get
>> >> >> some
>> >> >> help
>> >> >> from the log entry. If not, it's probably a configuration issue on
>> >> >> the
>> >> >> client PC or the router.
>> >> >>
>> >> >> Everything needs to match exactly - for example, WPA and WPA2 are
>> >> >> not
>> >> >> interchangeable, nor are TKIP and AES. I can't remember the
>> >> >> details
>> >> >> now,
>> >> >> but I had a WAP setting relating to security that appeared to match
>> >> >> everything else but did not. If you're following Owen's document
>> >> >> exactly,
>> >> >> just make sure that everything is set to WPA, and to TKIP. If you
>> >> >> have a
>> >> >> choice, you need WPA Enterprise, not WPA with PSK.
>> >> >>
>> >> >> Failing that, you could try updating the NIC drivers on the
>> >> >> wireless
>> >> >> client,
>> >> >> and also maybe trying a different wireless client or NIC. I've had
>> >> >> some
>> >> >> weird authentication issues with Intel wireless NICs, sometimes
>> >> >> helped
>> >> >> by
>> >> >> a
>> >> >> driver update, but I did have to replace one. You can try
>> >> >> disabling
>> >> >> all
>> >> >> the
>> >> >> security to make sure the client can associate with the WAP, but
>> >> >> I've
>> >> >> had
>> >> >> one instance where it would connect without security but not with,
>> >> >> and
>> >> >> that's the one where I had to replace the NIC.
>> >> >>
>> >> >>
>> >> >> "Noncentz" <Noncentz@discussions.microsoft.com> wrote in message
>> >> >> news:4E5A2561-E4C8-4AB5-9D27-CA8F92522140@microsoft.com...
>> >> >> > Morning,
>> >> >> >
>> >> >> > I am trying to configure an Cisco 1200AP and a Linksys WRT54G to
>> >> >> > work
>> >> >> > with
>> >> >> > certificates. I followed this guide to perfection that I was
>> >> >> > given
>> >> >> > earlier.
>> >> >> >
>> >> >> >
http://home.comcast.net/~clearviewtc/
>> >> >> >
>> >> >> > It was a great guide and helped immensly with my implementation.
>> >> >> > I
>> >> >> > did
>> >> >> > the
>> >> >> > following:
>> >> >> >
>> >> >> > Installed an configured Certification Authority
>> >> >> > Installed Internet Auth Service
>> >> >> > Defined my RADUIS Clients and Access Policy for Wireless
>> >> >> > I created a wireless group and a wireless GPO
>> >> >> > GPO consisting of Autoenrollment for "Computer" Certificates
>> >> >> > I set my gpo so that it only authenticates Computer Certs / TKIP/
>> >> >> > WPA
>> >> >> > I can see on a client machine that the cert is there and it is
>> >> >> > the
>> >> >> > correct
>> >> >> > cert
>> >> >> >
>> >> >> > ---- But naturally when I go to connect to the Network with a
>> >> >> > client
>> >> >> > device
>> >> >> > I get no luck... just says Validating Identity -----
>> >> >> >
>> >> >> > Im guess im frustrated because I can see where I went wrong on
>> >> >> > with
>> >> >> > this
>> >> >> > guide, Im working with my linksys now and still no luck, any good
>> >> >> > guides
>> >> >> > to
>> >> >> > peap maybe?
>> >> >> >
>> >> >> > Noncentz
>> >> >> >
>> >> >> > Any help would be greatly appreciated
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >>
>>