808.1x on wms 3.2

Tagged: 

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • May 13, 2021 at 2:23 pm #105356
    trtous
    Participant
    • Total Post: 9
    • Regular Joe
    • ★★

    I need to implement 802.1x in our env. We are using wms 3.2 and wyse 3040 with ThinOS 9.1.2101. We would like to set up automatic cert.enrolment.
    We use MS entreprise CA and scep server.

    I was studying @confgen Installation-and-configuration-of-MS-SCEP-and-ThinOS.pdf.

    Here is problem. My aplication pool in IIS uses account “scepserv”. This account has also rights to enroll certs on CA server. I can logon to http://xxxxxx/CertSrv/mscep_admin/ with this account and passw and I can see hash value of CA and password.
    I set up in wms:
    Request URL: xxxx/CertSrv/mscep/mscep.dll
    CA Certificate Hash Type:MD5
    CA Certificate Hash: 05AD70A1 7FAF8980 0DB635B0 C0F4A01E
    Enrollment Password: <empty>
    SCEP Administrator URL:
    https://xxxxxx/CertSrv/mscep_admin/
    Admin User:scepserv
    Admin User Password:••••••••••••••••
    Admin User Domain:xxxxx.xx

    But cert.enrolment always fail with log: scep auto enroll failed: scep getting enrollment password request failed
    Also in server’s sec.event I see that wyse is authenticating but faild:
    Subject:
    Security ID: NULL SID
    Account Name: –
    Account Domain: –
    Logon ID: 0x0
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: scepserv
    Account Domain: xxx.xx
    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC000006A
    Network Information:
    Workstation Name: WT6C2B5937F97F
    Source Network Address: 10.x.x.x
    Source Port: 34682

    I can interactively log to scep server with scepserv account.
    Am I missing something?

    May 13, 2021 at 3:05 pm #105357
    ConfGen
    Keymaster
    • Total Post: 10696
    • Jedi Master
    • ★★★★★★★

    Try to use http instead of https for the Admin URL.

    CG

    May 13, 2021 at 4:16 pm #105359
    trtous
    Participant
    • Total Post: 9
    • Regular Joe
    • ★★

    No luck with http only, same error in log. When I do it manually from wyse, after inserting the challenge password, wyse gets a certificate and everything looks good. But this is not the option as I need it for 200 wyses located all over the country.
    I wonder if this negotiation is in NTML v1 or v2. Because our domain controllers accept only v2.

    May 19, 2021 at 11:41 am #105406
    trtous
    Participant
    • Total Post: 9
    • Regular Joe
    • ★★

    Ok, I found a solution. The problem was NTML v1/v2 as I mentioned. We have in gpo:

    Networ security: LAN manager auth.level: Send NTML v2 response only. Refuse LM&NTML.

    After setting it to “Send NTML v2 response only. Refuse LM” authentication passes and wyse’s cert. was  obtained.

    BTW it was also functional with  https for the Admin URL.

     

    May 24, 2021 at 1:42 pm #105459
    ConfGen
    Keymaster
    • Total Post: 10696
    • Jedi Master
    • ★★★★★★★

    Thanks for the update

    CG

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.