Skip to main content
Cisco Meraki Documentation

IAS Event ID: 20168

The Event Log on the IAS server may report "Error: Could not retrieve the Remote Access Server's certificate due to the following error: The credentials supplied to the package were not recognized." When this happens authentications will fail with a timeout. This issue occurs after using VeriSign's automated process to purchase and install a WLAN computer certificate on a Microsoft IAS server performing PEAP-MS-CHAPv2 authentication.


Problem


When a client attempts to connect to the server with a WLAN certificate, this error can occur.
IAS error code : 20168
Event ID error code : 20168


Cause

When the certificate is installed using the PIN number and URL provided by VeriSign the "Install" button starts a script that calls a version of xEnroll.dll. In some cases, the wrong xEnroll.dll file can be used. There is a version of the xEnroll.dll in a CAB file and there is also a version in the System 32 folder. The xEnroll.dll in the CAB file only works on XP machines. The version in the System 32 folder is the local copy and works for whatever version of Operating System is installed. This does not allow the Intermediate CA to be used properly.


Resolution

To resolve this issue, perform the following steps:

Step 1: Create a Microsoft Management Console (MMC)

1. From the Web server, click Start > Run

2. In the text box, type mmc

3. Click OK

4. From the Microsoft Management Console (MMC) menu bar, select Console or File > Add/Remove Snap-in

5. Click Add

6. From the list of snap-ins, select Certificates

7. Click Add

8. Select Computer account

9. Click Next

10. Select Local computer (the computer this console is running on)

11. Click Finish

12. In the snap-in list window, click Close

13. In the Add/Remove Snap-in window, click OK

14. Save these console settings for future use

Step 2: Export the certificate

1. Open the Certificates (Local Computer) snap-in you added, and select Personal > Certificates

2. The Subject field of the certificate lists the Common Name (CN). (Click Tools > Internet Options > Content to view the Common Name if you are not sure)

3. Right-click on the desired certificate and select All Tasks > Export. The Certificate Export Wizard opens

4. Select Yes, export the private key

5. Click Next

6. In the Export File Format window, ensure the option for Personal Information Exchange - PKCS#12 (.pfx) is selected

7. Select Include all certificates in the certificate path if possible and then click Next. (If you do not select the Include all certificates in the certificate path if possible option, your server may not recognize the issuer of the certificate, which may result in security warnings for your clients)

8. De-select Require Strong Encryption. (This may cause a password prompt every time an application attempts to access the private key or it may cause IIS to fail)

9. Click Next

10. Enter and confirm a password to protect the PFX file and click Next

11. Choose a file name and location for the export file (do not include an extension in your file name; the wizard automatically adds the PFX extension for you)

12. Click Next

13. Read the summary and verify that the information is correct. Pay special attention to where you saved the file. Ensure that the information is correct

14. Click Finish

Once the certificate is exported, within MMC, right-click the certificate and select Delete.

Step 3: Import the certificate

1. Open the Microsoft Management Console (MMC)

2. On the left pane, click Certificates

3. On the right pane, double-click Personal

4. On the right pane, right-click Certificates and select All Tasks > Import (this opens the Certificate Import Wizard)

5. Click Next

6. Browse to the certificate that you want to import

7. Click Next

8. Enter the password used to secure the certificate for export

9. Click OK

Note: To export the certificate again from this computer, select Mark the key as exportable

10. Select the option Automatically select the certificate store based on the type of certificate. (This ensures all the certificates in the certification path [Root, Intermediate, and Server] are stored in the proper place. Problems may occur if a certificate is placed in the wrong store).

11. Click Next

12. Click Finish

13. A message confirms successful import. Click OK

These steps can also be found at the link below.

https://knowledge.verisign.com/suppo...int&actp=PRINT   

  • Was this article helpful?