Deploying Ipsec
Mikdilly
Member Posts: 309
Another from mspress book, exercise has you configuring certificate services for ipsec authentication, opening certificates snap-in for computer account on local computer. Expanding certificates, right-clicking Personal and choosing Request New Certificate. In Certificate Request Wizard on Certificate types page you are supposed to select IPsec, it isn't listed, only options are Diredtory Email Replication, Domain Controller, and Domain Controller Authentication.
Why doesn't IPsec show up in the list?
Why doesn't IPsec show up in the list?
Comments
-
Psoasman
Member Posts: 2,687 ■■■■■■■■■□
I believe you need to add the template. You would R-click the certificates template folder, then choose new template to issue, then select IPSec. This should add the IPSec template to your list of available templates to choose from. -
Mikdilly
Member Posts: 309
I believe you need to add the template. You would R-click the certificates template folder, then choose new template to issue, then select IPSec. This should add the IPSec template to your list of available templates to choose from.
Thanks, will try this. -
Mikdilly
Member Posts: 309
Thanks, will try this.
Sorry, my fault, missed a section of the exercise that covered exactly what you described in your post. Now further on in the exercise when you are configuring ipsec policy in gpo, on the 'Default response rule authentication method' you are to click 'Use a certificate from this CA'. Click Browse, after clicking browse get:
Active Directory does not contain a shared certificate store...
Do you want to select a CA from the certificate store on the local computer?
If I select yes and finish the rest of the steps I can't establish a connection between 2 computers, negotiation failures in ipsec monitor increase, event viewer shows an event id 547 with failure reason:
IKE failed to find valid machine certificate
Is this caused by not having a shared certificate store in AD? -
Psoasman
Member Posts: 2,687 ■■■■■■■■■□
Uncheck use the default response rule, this will force the computer to negotiate IPSec before any connections can be made.
-
Mikdilly
Member Posts: 309
Uncheck use the default response rule, this will force the computer to negotiate IPSec before any connections can be made.
I'd like to leave the options the same as they specify in the exercise which is to leave it selected.
Further on in the exercise I get an error when enrolling the client by using the Certificates snap-in :
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.
The error comes up after clicking finish on the steps below.
1. Open a blank Microsoft Management Console (MMC) console, and then add the Certificates snap-in. When prompted to select the account, select Computer Account, and then select Local Computer.
2. Expand Certificates. Right-click Personal, click All Tasks, and then click Request New Certificate. The Certificate Request Wizard appears.
3. Click Next. On the Certificate Types page, click IPSec.
4. Click Next twice, and then click Finish.
Searched the error and came to
Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions"
but it describes this error happening in 2003 SP1, i have SP2 on the CA server and the client, could this error still occur in SP2? -
Mikdilly
Member Posts: 309
I'd like to leave the options the same as they specify in the exercise which is to leave it selected.
Further on in the exercise I get an error when enrolling the client by using the Certificates snap-in :
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.
The error comes up after clicking finish on the steps below.
1. Open a blank Microsoft Management Console (MMC) console, and then add the Certificates snap-in. When prompted to select the account, select Computer Account, and then select Local Computer.
2. Expand Certificates. Right-click Personal, click All Tasks, and then click Request New Certificate. The Certificate Request Wizard appears.
3. Click Next. On the Certificate Types page, click IPSec.
4. Click Next twice, and then click Finish.
Searched the error and came to
Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions"
but it describes this error happening in 2003 SP1, i have SP2 on the CA server and the client, could this error still occur in SP2?
Both the CA and the client are domain controllers, got rid of the error by adding the domain controllers group to CERTSVC_DCOM_ACCESS, might have saved a headache or two had the book mentioned this.
