Solved

certificate warning with NPS and Digicert...

Posted on 2011-09-22
5
2,139 Views
Last Modified: 2012-05-12
Wondering if anyone has run into something like this before. I have Radius (NPS) working well and a profile configured to use a Universal Communications cert from Digicert. The only issue I have is when you connect you get a warning that says:

"The server radius.domain.com presented a valid certificate issue by Digicert High Assurance EV Root CA, but  Digicert High Assurance EV Root CA is not configured as a valid trust anchor for this profile."

Now I can easily go in and create a manual profile and select the server, Root CA and intermediate cert and it won't give me the warning but I was hoping that there is a way to prevent this so my domain users can just double-click on the network and off they go.

Does anyone know of a way to avoid that warning without manual intervention?
0
Comment
Question by:willlandymore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36584712
You just need DigiCerts Root and intermediate CA certificates installed in the trusted root store and intermediate store of your client machines.

There are a few different ways to do it.

You can push them out with a GPO.

You can install a Microsoft update that includes the latest list of trusted root certs

You could install them manually.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36584891
well I had setup a test client and I had installed them manually into those stores on this one but it still gets the warning when I just double-click on the new network. If you open up the settings of the EAP on the wireless profile only one of the Digicert certificates is selected, but if you check the server one and the other Digicert it's fine.

I was thinking that I could make a GPO that would push out the Wireless network with the settings I needed and sort of pre-check the certs so they were warned. Then it would be there for them too, they would just have to click on it.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36585110
You're right. I forgot about the settings on the PEAP properties page. In my environment group policy is used to set wireless parameters. So yes, you could do that.

When I get back to the office tomorrow I'll take a look at my settings. I remember having this problem with a non-domain laptop but don't remember what the resolution was.

Have you tried unchecking "Validate Server Certificate" you may not want to leave it that way but just as a test. That might be what I did for the contractor with the non-domain laptop.

I'll follow up tomorrow.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36586814
yeah, it will work without any intervention at all if I uncheck the validate box. However, I was just going for as secure as possible so I was trying to get it so that was checked but there was no warning.

I have the policy setup for domain users/computers and then a GPO that pushes out the certificates to the right stores. If you create the wireless network manually and then select the 2 Digicert ones and the server one then there are no issues, but I was hoping to have this automatic so a wireless network didn't have to be created manually.  
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36588118
On the PEAP settings page is "Connect to these servers:" checked with your radius server listed in the box?

On my settings page when I unselect that it works. Validate server certificate is still checked but the CA's are not selected int the Trused Root Certification Authorities. Not sure why that works but it does.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question