Link to home
Start Free TrialLog in
Avatar of mspsupport
mspsupportFlag for Australia

asked on

NPS Client / Server Certificate Authentication Issue

Hi Experts,

I've got a tricky issue with NPS (i believe) that is causing my wireless clients to display a warning when connecting to my wireless network. A brief overview of the setup is as follows.

2 X Server 2008 Domain Controllers
1 X Certificate Authority Server
1 X NPS Server with XYZ connection policy
HP Procurve MSM Controller with various AP's all configured in NPS

We had an issue a few months back whereby under NPS
> Network Policies > "Wireless Policy" > Constraints > Authentication Methods
> Microsoft Smart Card of other Certificate"
...The certificate would be issued to a wildcard certificate. When i changed it back to a local CA issued certificate, clients could authenticate again.

This had only happened once to date so i ignored it...til now.

The same thing has happened again, so i changed it back.

Now, when i connect on a client however, i'm getting the error

"The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile"

I can still connect, but i have too many users on this network that will complain about the extra step. I'm confident i can answer any questions you ask me, i know i mightn't have explained myself enough. I've attached a screen shot to see if there is anything immediate that might be causing the issue

Thanks guys and gals.
ASKER CERTIFIED SOLUTION
Avatar of Jakob Digranes
Jakob Digranes
Flag of Norway image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mspsupport

ASKER

User generated imageHi Jakob.

I fixed this today. There has to be a bug where the "Smart Card or other certificate" reverts back to the the wild card cert whenever the local certificate is auto re-enrolled. (I've tested and confirmed this). This was the first part of fixing them problem.

With regards to the "The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile" issue, this was entirely client related (Unless its a configuration issue i couldn't figure out...)....the fix was to modify group policy...

There is a setting in the group policy for our wireless gpo - that said "Connect to this server". The box was checked but there was nothing selected there. We unticked this box and the error went away on the clients.

All of the clients were domain joined, all of the certificates were valid, the intended purpose of the certificate was correct. I noticed whoever set up the cert however, created it off a domain controller certificate template and not an RAS / IAS template. It is unknown if this caused the issue.

For anyone with similar symptoms in the future, i also noticed that the domain  is a Server 2008 R2 domain, but the group policy for wireless was a Windows XP policy not vista or above.

See the attached file for the box we needed to tick.

Thanks for your assistance again.
I've requested that this question be closed as follows:

Accepted answer: 0 points for mspsupport's comment #a39273451

for the following reason:

For anyone looking at this in the future, the questions the respondent asked were valid questions for tracking this issue.
As per other comments