Hi Thiebault,
you saved me. AGAIN! :-) That was the clue, not including the Email in
the DN, just saying no in TinyCA was the first step to the solution. XP
SP3 took then the cert for auth.
@Ivan: Thanks for your reply, but it's not an TinyCA issue.
Second step was, that 2000/XP <= SP2 converted the Computername to
lowercase (mine are uppercase), so I had all entries in the users file
in lowercase. SP3 sends the computername in uppercase (also in the
client-cert).
So after your hint I got
Mon Jan 26 13:29:11 2009 : Auth: Login incorrect: [host/HFS-PA-140109-1]
(from client hfs-schneller port 24)
showing that XP accepted the cert. After changing the hostname to
uppercase in the usersfile i got:
Mon Jan 26 13:49:20 2009 : Auth: Login OK: [host/HFS-PA-140109-1] (from
client hfs-schneller port 24)
And of course don't forget to assign the right profile XML to the LAN
Adapter for machinebased auth.
Your CA cert's DN includes the emailAddress, though this was not
exactly the issue I had (mine was related to the client certs), I
would recommend not adding this emailAddress to the DN and test again.
Thanks!
cu
Alex (who hates Microsoft for changing important things silently)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
