[RADIUS] Win7 asks multiple times for certificate

Fellow Experts, I need help.

I've deployed the NPS and CA for a company.
I've chosen PEAP as the authentication with "Smart Card or Certificate" authentication type.

My laptop is not a member of the domain
The certificate for a user has been exported from the CA and then imported onto my notebook (along with the private key).
Went into Certificates Manager and set it only to "user authentication" type.
In the advanced settings of the wireless connection I've picked the 802.1X User Authentication.

As for the NPS - it's configured to accept PEAP authentication with certificates.

Now for the error...
As of now I've tried it only on Windows 7 computer. For some unknown reason it doesn't want to connect immediately. The window to choose a certificate shows up (with correct cert), I click OK and then it shows up again. The number of confirmations differ: sometimes I have to click only once, sometimes this window appears for five-six times in a row.

Don't know what could have happened. The problem is the only events in the event viewer are the ones after succesful health check and authentication.
LVL 11
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
does this error show for all users, or only yours?

Make sure certificates has the correct purpose:

One such requirement is that the certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. For example, a certificate used for the authentication of a client to a server must be configured with the Client Authentication purpose. Similarly, a certificate used for the authentication of a server must be configured with the Server Authentication purpose. When certificates are used for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is When a certificate is used for client computer authentication, this object identifier must be present in the EKU extensions of the certificate or authentication will fail.

marek1712Author Commented:
I've checked the certification authority and this particular certificate has this extension (as well as safe e-mail and file encryption).
It's been imported into my laptop and I've checked only the Client Authentication property. And that's how it is now.
Jakob DigranesSenior ConsultantCommented:
can you log in to NPS - win2008 (or IAS win 2003) server and look at Event Viewer Security logs and look for any failure audits for Network Policy server -- and post it here?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

marek1712Author Commented:
Hmm, there are no failures. Only these two types of events: 6272 and 6278, which means everything is fine. But I still have to select the user certificate multiple times...
Little EDIT: it may be problem with a network adapter in my computer (Atheros AR9002) as my friend with his Intel 3945 and Windows XP doesn't have this problem.
I'm ordering new laptop for an employee and will see it then.  I'll post an update.
marek1712Author Commented:
My friend brought his computer with Windows 7 and the issue showed up on it too. Very strange. Intel 3945ABG network card.
As I've mentioned before - this doesn't affect Windows XP.
marek1712Author Commented:
I'm back after almost a month. It seems current AP is malfunctioning (TP-Link TL-WA5110G). Symptoms?:
- crashes from time to time (with WPA2/AES set). Not reachable with stable ping reply of 26ms
- low transfers with WPA2 - no more than 500kB/s
- multiple authentication requests with certificates for W7.
I have to thoroughly test the last part but I'm pretty sure the device is the culprit. My friend brought his TP-Link wireless router which serves as AP and after 5 tries - I've managed to connect instantly...
Will post an update after more research.
marek1712Author Commented:
Problem solved - the AP is faulty. I've sent it to RMA - will see if it's model flaw or just single case.
Meanwhile TL-WR3420 router works as an AP without any problems...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jakob DigranesSenior ConsultantCommented:
fingers crossed :-)
marek1712Author Commented:
Resolved issue myself.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.