+ Post New Thread
Results 1 to 12 of 12
Windows Server 2008 R2 Thread, Lets talk certificates (HELP!) in Technical; I'm currently having issues with Netbooks connecting to our wireless system (Ruckus, Radius etc). The error is about Authenticating. http://www.edugeek.net/forums/wirele...ning-wlan.html ...
  1. #1

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,527
    Thank Post
    2,394
    Thanked 774 Times in 468 Posts
    Blog Entries
    2
    Rep Power
    548

    Lets talk certificates (HELP!)

    I'm currently having issues with Netbooks connecting to our wireless system (Ruckus, Radius etc). The error is about Authenticating. Ruckus - Laptop repeatedly fails authentication when joining WLAN

    It runs from my 2k8 server. After some digging around, it came to my attention that the day the netbooks stopped connecting was the day that a cetificate on that server expired. So i've spent all day yesterday playing with certificates...this is the first time i've ever had any dealings with them.

    I've renewed the cert i thought was causing the issue, but there's still an error:

    Active Directory Certificate Services could not process request 124 due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437). The request was for CN=CURRICSVR2.harborne.pri.
    In the failed requests folder Request 124 is "A required certificate is not within it's validity period......" "Error verifying Request Signature or Signing Certificiate"

    Now i've found a certificate that has expired but when i try to renew it i get told that "The permissions on the certificate template do not allow the current user to enroll for this type of certificate" Enroll?

    Also noticed that in the Enterprise PKI it's complaining that it cant find the #2 location for AIA, DeltaCRL and CDP.

    Anyone got any pointers?
    Last edited by Little-Miss; 4th October 2013 at 09:12 AM.

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,730
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    One thing to have a quick check on, when you're trying to renew the cert have you got permissions (Read/Enroll) directly on the certificate template? As I'm pretty sure it uses user permissions, not computer ones by default.

    Steve

  3. Thanks to Steve21 from:

    Little-Miss (4th October 2013)

  4. #3

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,527
    Thank Post
    2,394
    Thanked 774 Times in 468 Posts
    Blog Entries
    2
    Rep Power
    548
    Ok, that moved me on but now the next error is ADEP.jpg

  5. #4

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,730
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    I may be being stupid, but isn't that because it's already expired? Thought you had to create a new one when it expired, you could only renew an already running one.

    Edit - Lemme see -

    Renew an Existing Certificate Wizard Page

    You cannot renew a certificate that has already expired. If you try to renew a certificate that has expired, the certification authority (CA) will reject the request, and you will see an error message similar to "Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." This message will also be displayed in the Failed Requests node of the issuing CA. If your certificate has already expired, you must request a new certificate instead of renewing the existing certificate.
    Unless there's any workarounds?

    Steve

  6. Thanks to Steve21 from:

    mac_shinobi (4th October 2013)

  7. #5

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,897
    Thank Post
    3,420
    Thanked 1,081 Times in 997 Posts
    Rep Power
    369
    Thanks for the input @Steve21 - not that this helps but made me giggle a bit ( in that 2nd screen grab where it has Status : Request Denied ​)

  8. #6

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,527
    Thank Post
    2,394
    Thanked 774 Times in 468 Posts
    Blog Entries
    2
    Rep Power
    548
    Oh ok...not stupid at all! I haven't got a clue.

    So when creating a new certificate, what the deal with the Subject?

  9. #7

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,730
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    As in the -n part, subject name? Effectively just a name, but needs to conform to some silly standard. (Or did you mean subjectkey etc etc?)

    Steve

  10. #8

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,527
    Thank Post
    2,394
    Thanked 774 Times in 468 Posts
    Blog Entries
    2
    Rep Power
    548
    When trying to create a new one, it says it wants a subject name.

    There's a drop down with options such as Full DN, Common name etc. I did notice that in the error above it was searching for CN=CURRICSVR2.harborne.pri.

    Sorry if this seems a bit obvious to people, i've never had to deal with certs before...

  11. #9

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,469
    Thank Post
    630
    Thanked 2,116 Times in 1,452 Posts
    Blog Entries
    19
    Rep Power
    882
    Quote Originally Posted by Little-Miss View Post
    Sorry if this seems a bit obvious to people, i've never had to deal with certs before...
    Do you know who set it up last time? It might be worth getting on to them and seeing what they say.

  12. #10

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,527
    Thank Post
    2,394
    Thanked 774 Times in 468 Posts
    Blog Entries
    2
    Rep Power
    548
    Money, money, money.....

    Yeah, im with you there....plans are being made.

  13. #11

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,730
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    Generally you name the certificates (the -n part is if you're doing it command line, not wizard) (common convention is starting it with CN=), but it can be anything depending on how many certs you want to make tbh.

    Could be "CN=myWirelessCert", or -n "CN=ServerName" etc etc. Just if like us you like 9milllllllion certs, it's better to name it something different If you're only running 1/2, doesn't really matter.

    Steve

  14. 2 Thanks to Steve21:

    Little-Miss (4th October 2013)

  15. #12

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,527
    Thank Post
    2,394
    Thanked 774 Times in 468 Posts
    Blog Entries
    2
    Rep Power
    548
    Just in case some stumbles across this with a similar issue. I was pretty close to sorting it, the guy (kindly) said that he only found the issue though experience of using Certs.

    Even though the server had the new certificate, it bound itself to the wrong one. One that doesn't include client authentication as one of its roles. I think it was under the Radius authentication settings.

    He swapped it for the other and ta-dah all my Netbooks connected as soon as they were switched on

    Gotta love IT...

SHARE:
+ Post New Thread

Similar Threads

  1. Lets talk about my department!
    By Bobcat in forum General Chat
    Replies: 6
    Last Post: 15th March 2013, 02:30 PM
  2. Self Signed Exchange Certificate Help
    By CHR1S in forum Enterprise Software
    Replies: 7
    Last Post: 3rd November 2012, 03:56 PM
  3. IIS7 Configuration help and SSL Certificate help please!!!!
    By pcwise27 in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 21st August 2012, 09:24 AM
  4. Replies: 15
    Last Post: 11th January 2011, 09:32 AM
  5. Replies: 7
    Last Post: 14th July 2010, 03:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •