Solved

NPS Client / Server Certificate Authentication Issue

Posted on 2013-06-23
4
4,255 Views
Last Modified: 2013-06-24
Hi Experts,

I've got a tricky issue with NPS (i believe) that is causing my wireless clients to display a warning when connecting to my wireless network. A brief overview of the setup is as follows.

2 X Server 2008 Domain Controllers
1 X Certificate Authority Server
1 X NPS Server with XYZ connection policy
HP Procurve MSM Controller with various AP's all configured in NPS

We had an issue a few months back whereby under NPS
> Network Policies > "Wireless Policy" > Constraints > Authentication Methods
> Microsoft Smart Card of other Certificate"
...The certificate would be issued to a wildcard certificate. When i changed it back to a local CA issued certificate, clients could authenticate again.

This had only happened once to date so i ignored it...til now.

The same thing has happened again, so i changed it back.

Now, when i connect on a client however, i'm getting the error

"The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile"

I can still connect, but i have too many users on this network that will complain about the extra step. I'm confident i can answer any questions you ask me, i know i mightn't have explained myself enough. I've attached a screen shot to see if there is anything immediate that might be causing the issue

Thanks guys and gals.
0
Comment
Question by:mspsupport
  • 3
4 Comments
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 39270348
Would the wildcard certificate match the NPS name in terms of domain name?
Is the Local CA Certificate a RAS/IAS template or computer template, with server authentication as intended purpose?
is the certificate still valid? are clients domain joined?
0
 

Author Comment

by:mspsupport
ID: 39273451
GPO Tick boxHi Jakob.

I fixed this today. There has to be a bug where the "Smart Card or other certificate" reverts back to the the wild card cert whenever the local certificate is auto re-enrolled. (I've tested and confirmed this). This was the first part of fixing them problem.

With regards to the "The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile" issue, this was entirely client related (Unless its a configuration issue i couldn't figure out...)....the fix was to modify group policy...

There is a setting in the group policy for our wireless gpo - that said "Connect to this server". The box was checked but there was nothing selected there. We unticked this box and the error went away on the clients.

All of the clients were domain joined, all of the certificates were valid, the intended purpose of the certificate was correct. I noticed whoever set up the cert however, created it off a domain controller certificate template and not an RAS / IAS template. It is unknown if this caused the issue.

For anyone with similar symptoms in the future, i also noticed that the domain  is a Server 2008 R2 domain, but the group policy for wireless was a Windows XP policy not vista or above.

See the attached file for the box we needed to tick.

Thanks for your assistance again.
0
 

Author Comment

by:mspsupport
ID: 39273456
I've requested that this question be closed as follows:

Accepted answer: 0 points for mspsupport's comment #a39273451

for the following reason:

For anyone looking at this in the future, the questions the respondent asked were valid questions for tracking this issue.
0
 

Author Closing Comment

by:mspsupport
ID: 39273457
As per other comments
0

Join & Write a Comment

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now