Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4906
  • Last Modified:

NPS Client / Server Certificate Authentication Issue

Hi Experts,

I've got a tricky issue with NPS (i believe) that is causing my wireless clients to display a warning when connecting to my wireless network. A brief overview of the setup is as follows.

2 X Server 2008 Domain Controllers
1 X Certificate Authority Server
1 X NPS Server with XYZ connection policy
HP Procurve MSM Controller with various AP's all configured in NPS

We had an issue a few months back whereby under NPS
> Network Policies > "Wireless Policy" > Constraints > Authentication Methods
> Microsoft Smart Card of other Certificate"
...The certificate would be issued to a wildcard certificate. When i changed it back to a local CA issued certificate, clients could authenticate again.

This had only happened once to date so i ignored it...til now.

The same thing has happened again, so i changed it back.

Now, when i connect on a client however, i'm getting the error

"The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile"

I can still connect, but i have too many users on this network that will complain about the extra step. I'm confident i can answer any questions you ask me, i know i mightn't have explained myself enough. I've attached a screen shot to see if there is anything immediate that might be causing the issue

Thanks guys and gals.
0
mspsupport
Asked:
mspsupport
  • 3
1 Solution
 
Jakob DigranesSenior ConsultantCommented:
Would the wildcard certificate match the NPS name in terms of domain name?
Is the Local CA Certificate a RAS/IAS template or computer template, with server authentication as intended purpose?
is the certificate still valid? are clients domain joined?
0
 
mspsupportAuthor Commented:
GPO Tick boxHi Jakob.

I fixed this today. There has to be a bug where the "Smart Card or other certificate" reverts back to the the wild card cert whenever the local certificate is auto re-enrolled. (I've tested and confirmed this). This was the first part of fixing them problem.

With regards to the "The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile" issue, this was entirely client related (Unless its a configuration issue i couldn't figure out...)....the fix was to modify group policy...

There is a setting in the group policy for our wireless gpo - that said "Connect to this server". The box was checked but there was nothing selected there. We unticked this box and the error went away on the clients.

All of the clients were domain joined, all of the certificates were valid, the intended purpose of the certificate was correct. I noticed whoever set up the cert however, created it off a domain controller certificate template and not an RAS / IAS template. It is unknown if this caused the issue.

For anyone with similar symptoms in the future, i also noticed that the domain  is a Server 2008 R2 domain, but the group policy for wireless was a Windows XP policy not vista or above.

See the attached file for the box we needed to tick.

Thanks for your assistance again.
0
 
mspsupportAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for mspsupport's comment #a39273451

for the following reason:

For anyone looking at this in the future, the questions the respondent asked were valid questions for tracking this issue.
0
 
mspsupportAuthor Commented:
As per other comments
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now