Windows Server 2008 R2 Thread, Lets talk certificates (HELP!) in Technical; I'm currently having issues with Netbooks connecting to our wireless system (Ruckus, Radius etc). The error is about Authenticating. http://www.edugeek.net/forums/wirele...ning-wlan.html
4th October 2013, 10:07 AM #1
Lets talk certificates (HELP!)
I'm currently having issues with Netbooks connecting to our wireless system (Ruckus, Radius etc). The error is about Authenticating. Ruckus - Laptop repeatedly fails authentication when joining WLAN
It runs from my 2k8 server. After some digging around, it came to my attention that the day the netbooks stopped connecting was the day that a cetificate on that server expired. So i've spent all day yesterday playing with certificates...this is the first time i've ever had any dealings with them.
I've renewed the cert i thought was causing the issue, but there's still an error:
In the failed requests folder Request 124 is "A required certificate is not within it's validity period......" "Error verifying Request Signature or Signing Certificiate"
Active Directory Certificate Services could not process request 124 due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437). The request was for CN=CURRICSVR2.harborne.pri.
Now i've found a certificate that has expired but when i try to renew it i get told that "The permissions on the certificate template do not allow the current user to enroll for this type of certificate" Enroll?
Also noticed that in the Enterprise PKI it's complaining that it cant find the #2 location for AIA, DeltaCRL and CDP.
Anyone got any pointers?
Last edited by Little-Miss; 4th October 2013 at 10:12 AM.
IDG Tech News
4th October 2013, 10:11 AM #2
One thing to have a quick check on, when you're trying to renew the cert have you got permissions (Read/Enroll) directly on the certificate template? As I'm pretty sure it uses user permissions, not computer ones by default.
Thanks to Steve21 from:
Little-Miss (4th October 2013)
4th October 2013, 10:37 AM #3
Ok, that moved me on but now the next error is ADEP.jpg
4th October 2013, 10:43 AM #4
I may be being stupid, but isn't that because it's already expired? Thought you had to create a new one when it expired, you could only renew an already running one.
Edit - Lemme see -
Renew an Existing Certificate Wizard Page
Unless there's any workarounds?
You cannot renew a certificate that has already expired. If you try to renew a certificate that has expired, the certification authority (CA) will reject the request, and you will see an error message similar to "Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." This message will also be displayed in the Failed Requests node of the issuing CA. If your certificate has already expired, you must request a new certificate instead of renewing the existing certificate.
Thanks to Steve21 from:
mac_shinobi (4th October 2013)
4th October 2013, 10:55 AM #5
Thanks for the input @Steve21 - not that this helps but made me giggle a bit ( in that 2nd screen grab where it has Status : Request Denied )
4th October 2013, 10:58 AM #6
Oh ok...not stupid at all! I haven't got a clue.
So when creating a new certificate, what the deal with the Subject?
4th October 2013, 11:15 AM #7
As in the -n part, subject name? Effectively just a name, but needs to conform to some silly standard. (Or did you mean subjectkey etc etc?)
4th October 2013, 11:18 AM #8
When trying to create a new one, it says it wants a subject name.
There's a drop down with options such as Full DN, Common name etc. I did notice that in the error above it was searching for CN=CURRICSVR2.harborne.pri.
Sorry if this seems a bit obvious to people, i've never had to deal with certs before...
4th October 2013, 11:24 AM #9
Do you know who set it up last time? It might be worth getting on to them and seeing what they say.
Originally Posted by Little-Miss
4th October 2013, 11:26 AM #10
Money, money, money.....
Yeah, im with you there....plans are being made.
4th October 2013, 11:28 AM #11
Generally you name the certificates (the -n part is if you're doing it command line, not wizard) (common convention is starting it with CN=), but it can be anything depending on how many certs you want to make tbh.
Could be "CN=myWirelessCert", or -n "CN=ServerName" etc etc. Just if like us you like 9milllllllion certs, it's better to name it something different If you're only running 1/2, doesn't really matter.
2 Thanks to Steve21:
Little-Miss (4th October 2013)
9th October 2013, 11:57 PM #12
Just in case some stumbles across this with a similar issue. I was pretty close to sorting it, the guy (kindly) said that he only found the issue though experience of using Certs.
Even though the server had the new certificate, it bound itself to the wrong one. One that doesn't include client authentication as one of its roles. I think it was under the Radius authentication settings.
He swapped it for the other and ta-dah all my Netbooks connected as soon as they were switched on
Gotta love IT...
By Bobcat in forum General Chat
Last Post: 15th March 2013, 03:30 PM
By CHR1S in forum Enterprise Software
Last Post: 3rd November 2012, 04:56 PM
By pcwise27 in forum Windows Server 2008 R2
Last Post: 21st August 2012, 10:24 AM
By timbo343 in forum Windows
Last Post: 11th January 2011, 10:32 AM
By Spiceworks in forum Windows
Last Post: 14th July 2010, 04:36 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)