Tagged: 802.1x
- This topic has 4 replies, 2 voices, and was last updated 2 years, 11 months ago by ConfGen.
-
AuthorPosts
-
May 13, 2021 at 2:23 pm #105356
I need to implement 802.1x in our env. We are using wms 3.2 and wyse 3040 with ThinOS 9.1.2101. We would like to set up automatic cert.enrolment.
We use MS entreprise CA and scep server.I was studying @confgen Installation-and-configuration-of-MS-SCEP-and-ThinOS.pdf.
Here is problem. My aplication pool in IIS uses account “scepserv”. This account has also rights to enroll certs on CA server. I can logon to http://xxxxxx/CertSrv/mscep_admin/ with this account and passw and I can see hash value of CA and password.
I set up in wms:
Request URL: xxxx/CertSrv/mscep/mscep.dll
CA Certificate Hash Type:MD5
CA Certificate Hash: 05AD70A1 7FAF8980 0DB635B0 C0F4A01E
Enrollment Password: <empty>
SCEP Administrator URL:
https://xxxxxx/CertSrv/mscep_admin/
Admin User:scepserv
Admin User Password:••••••••••••••••
Admin User Domain:xxxxx.xxBut cert.enrolment always fail with log: scep auto enroll failed: scep getting enrollment password request failed
Also in server’s sec.event I see that wyse is authenticating but faild:
Subject:
Security ID: NULL SID
Account Name: –
Account Domain: –
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: scepserv
Account Domain: xxx.xx
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Network Information:
Workstation Name: WT6C2B5937F97F
Source Network Address: 10.x.x.x
Source Port: 34682I can interactively log to scep server with scepserv account.
Am I missing something?May 13, 2021 at 3:05 pm #105357Try to use http instead of https for the Admin URL.
CG
May 13, 2021 at 4:16 pm #105359No luck with http only, same error in log. When I do it manually from wyse, after inserting the challenge password, wyse gets a certificate and everything looks good. But this is not the option as I need it for 200 wyses located all over the country.
I wonder if this negotiation is in NTML v1 or v2. Because our domain controllers accept only v2.May 19, 2021 at 11:41 am #105406Ok, I found a solution. The problem was NTML v1/v2 as I mentioned. We have in gpo:
Networ security: LAN manager auth.level: Send NTML v2 response only. Refuse LM&NTML.
After setting it to “Send NTML v2 response only. Refuse LM” authentication passes and wyse’s cert. was obtained.
BTW it was also functional with https for the Admin URL.
May 24, 2021 at 1:42 pm #105459Thanks for the update
CG
-
AuthorPosts
- You must be logged in to reply to this topic.