"Thomas K" < XXXX@XXXXX.COM > wrote in
Hi Thomas --
Well if you configure clients so that they do not authenticate the IAS
server, it sort of defeats a lot of the purpose and security advantages of
deploying PEAP, so I couldn't really recommend that approach.
I think the first thing I would try is to examine the Globalsign
certificate and try to identify if or why it is not meeting the minimum
server certificate requirements for IAS. (I think you are already aware of
these from previous posts, but just in case you don't, you can find the
requirements in the IAS Help topic "Network access authentication and
certificates," which is also on the Web at
To check whether the Globalsign cert is usable by IAS, just go into the
remote access policy profile, and check the properties on the
Authentication tab. If the Globalsign cert is correctly configured, IAS
will have selected it by default to use with this remote access policy. (If
it is not there, then it is either in the wrong certificate store or it is
misconfigured. Make sure it is in the Local Computer store. If you find it
elsewhere, don't drag and drop it to the right place, export it and then
import it. Drag and drop, if you do that, will look like it works, but it
doesn't -- the private keys are not moved when you drag and drop.)
In short, to see if the cert is misconfigured for IAS server
authentication, make sure the cert has the Server Authentication purpose in
Enhanced Key Usage extensions.
In Subject name format, there should be a value other than None.
Also verify that the server certificate is configured with a required
cryptographic service provider (CSP) value of Microsoft RSA SChannel
In addition, if the cert uses the Subject Alternative Name (SubjectAltName)
extension, it must contain the FQDN of the IAS server.
With PEAP and EAP-TLS, IAS servers display a list of all installed
certificates in the computer's certificate store, with the following
-Certificates that do not contain the server Authentication purpose in EKU
extensions are not displayed.
-Certificates that do not contain a Subject name are not displayed.
-Servers do not display registry-based and smart card-logon certificates.
If there is a problem with the cert, I would then contact Globalsign and
see if they can revoke your customer's current cert and issue a new one
that meets the IAS requirements.
I will be offline for two weeks so if you post again during that time
period I will respond when I return. (Maybe one of the other guys can help
Good luck Thomas!
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.