Solved

certificate warning with NPS and Digicert...

Posted on 2011-09-22
5
2,054 Views
Last Modified: 2012-05-12
Wondering if anyone has run into something like this before. I have Radius (NPS) working well and a profile configured to use a Universal Communications cert from Digicert. The only issue I have is when you connect you get a warning that says:

"The server radius.domain.com presented a valid certificate issue by Digicert High Assurance EV Root CA, but  Digicert High Assurance EV Root CA is not configured as a valid trust anchor for this profile."

Now I can easily go in and create a manual profile and select the server, Root CA and intermediate cert and it won't give me the warning but I was hoping that there is a way to prevent this so my domain users can just double-click on the network and off they go.

Does anyone know of a way to avoid that warning without manual intervention?
0
Comment
Question by:willlandymore
  • 3
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36584712
You just need DigiCerts Root and intermediate CA certificates installed in the trusted root store and intermediate store of your client machines.

There are a few different ways to do it.

You can push them out with a GPO.

You can install a Microsoft update that includes the latest list of trusted root certs

You could install them manually.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36584891
well I had setup a test client and I had installed them manually into those stores on this one but it still gets the warning when I just double-click on the new network. If you open up the settings of the EAP on the wireless profile only one of the Digicert certificates is selected, but if you check the server one and the other Digicert it's fine.

I was thinking that I could make a GPO that would push out the Wireless network with the settings I needed and sort of pre-check the certs so they were warned. Then it would be there for them too, they would just have to click on it.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36585110
You're right. I forgot about the settings on the PEAP properties page. In my environment group policy is used to set wireless parameters. So yes, you could do that.

When I get back to the office tomorrow I'll take a look at my settings. I remember having this problem with a non-domain laptop but don't remember what the resolution was.

Have you tried unchecking "Validate Server Certificate" you may not want to leave it that way but just as a test. That might be what I did for the contractor with the non-domain laptop.

I'll follow up tomorrow.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36586814
yeah, it will work without any intervention at all if I uncheck the validate box. However, I was just going for as secure as possible so I was trying to get it so that was checked but there was no warning.

I have the policy setup for domain users/computers and then a GPO that pushes out the certificates to the right stores. If you create the wireless network manually and then select the 2 Digicert ones and the server one then there are no issues, but I was hoping to have this automatic so a wireless network didn't have to be created manually.  
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36588118
On the PEAP settings page is "Connect to these servers:" checked with your radius server listed in the box?

On my settings page when I unselect that it works. Validate server certificate is still checked but the CA's are not selected int the Trused Root Certification Authorities. Not sure why that works but it does.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now