Solved

certificate warning with NPS and Digicert...

Posted on 2011-09-22
5
2,153 Views
Last Modified: 2012-05-12
Wondering if anyone has run into something like this before. I have Radius (NPS) working well and a profile configured to use a Universal Communications cert from Digicert. The only issue I have is when you connect you get a warning that says:

"The server radius.domain.com presented a valid certificate issue by Digicert High Assurance EV Root CA, but  Digicert High Assurance EV Root CA is not configured as a valid trust anchor for this profile."

Now I can easily go in and create a manual profile and select the server, Root CA and intermediate cert and it won't give me the warning but I was hoping that there is a way to prevent this so my domain users can just double-click on the network and off they go.

Does anyone know of a way to avoid that warning without manual intervention?
0
Comment
Question by:willlandymore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36584712
You just need DigiCerts Root and intermediate CA certificates installed in the trusted root store and intermediate store of your client machines.

There are a few different ways to do it.

You can push them out with a GPO.

You can install a Microsoft update that includes the latest list of trusted root certs

You could install them manually.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36584891
well I had setup a test client and I had installed them manually into those stores on this one but it still gets the warning when I just double-click on the new network. If you open up the settings of the EAP on the wireless profile only one of the Digicert certificates is selected, but if you check the server one and the other Digicert it's fine.

I was thinking that I could make a GPO that would push out the Wireless network with the settings I needed and sort of pre-check the certs so they were warned. Then it would be there for them too, they would just have to click on it.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36585110
You're right. I forgot about the settings on the PEAP properties page. In my environment group policy is used to set wireless parameters. So yes, you could do that.

When I get back to the office tomorrow I'll take a look at my settings. I remember having this problem with a non-domain laptop but don't remember what the resolution was.

Have you tried unchecking "Validate Server Certificate" you may not want to leave it that way but just as a test. That might be what I did for the contractor with the non-domain laptop.

I'll follow up tomorrow.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36586814
yeah, it will work without any intervention at all if I uncheck the validate box. However, I was just going for as secure as possible so I was trying to get it so that was checked but there was no warning.

I have the policy setup for domain users/computers and then a GPO that pushes out the certificates to the right stores. If you create the wireless network manually and then select the 2 Digicert ones and the server one then there are no issues, but I was hoping to have this automatic so a wireless network didn't have to be created manually.  
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36588118
On the PEAP settings page is "Connect to these servers:" checked with your radius server listed in the box?

On my settings page when I unselect that it works. Validate server certificate is still checked but the CA's are not selected int the Trused Root Certification Authorities. Not sure why that works but it does.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Virus detection 6 44
SSL unsecure page mystery 17 44
Run powershell against OU 7 73
where to get up-to-minute Microsoft security news 2 37
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question