We're presently in the middle of a migration to another forest, as a result of a merger. Here are the key facts:
* The source and destination forest both have their own root CA and issuing CA. * Users in the source forest use an ISA 2006 server for L2TP VPN. * Our desire is to continue to use that L2TP server throughout the migration.
Most other services work fine between forests - Currently we have a CTL and a 2-way forest trust in place and working, and we migrate accounts with SID history. A radius proxy exists for cross-forest authentication of accounts that use our EAP/802.1x wireless.
The ISA L2TP VPN, though, is proving to be tough to get to work. The ChapV2 part works fine (for example, I can type in credentials of a destination forest user and that works fine due to trust), but once the computer is migrated, I get an IKE authentication failure. This surprised me because I have the CTL in place for the needed certificate purposes and the computer is a member of the group needed for VPN access. Then I read this and it has me troubled: http://www.dscoduc.com/2010/01/rras-and-certificate-troubles/
What that site says is that a MS L2TP VPN server will only ever accept a client certificate from the same certificate authority as the one which issued its certificate. Is this true? If this is true, is there some workaround? The problem is users aren't all migrating at once. If they were, I'd just move the server to the destination domain and get a cert there when they migrated.
Thanks in Advance, Ross
< Message edited by Ross G -- 19.Mar.2010 3:44:07 PM >