Solved

NPS Client / Server Certificate Authentication Issue

Posted on 2013-06-23
4
4,307 Views
Last Modified: 2013-06-24
Hi Experts,

I've got a tricky issue with NPS (i believe) that is causing my wireless clients to display a warning when connecting to my wireless network. A brief overview of the setup is as follows.

2 X Server 2008 Domain Controllers
1 X Certificate Authority Server
1 X NPS Server with XYZ connection policy
HP Procurve MSM Controller with various AP's all configured in NPS

We had an issue a few months back whereby under NPS
> Network Policies > "Wireless Policy" > Constraints > Authentication Methods
> Microsoft Smart Card of other Certificate"
...The certificate would be issued to a wildcard certificate. When i changed it back to a local CA issued certificate, clients could authenticate again.

This had only happened once to date so i ignored it...til now.

The same thing has happened again, so i changed it back.

Now, when i connect on a client however, i'm getting the error

"The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile"

I can still connect, but i have too many users on this network that will complain about the extra step. I'm confident i can answer any questions you ask me, i know i mightn't have explained myself enough. I've attached a screen shot to see if there is anything immediate that might be causing the issue

Thanks guys and gals.
0
Comment
Question by:mspsupport
  • 3
4 Comments
 
LVL 21

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 39270348
Would the wildcard certificate match the NPS name in terms of domain name?
Is the Local CA Certificate a RAS/IAS template or computer template, with server authentication as intended purpose?
is the certificate still valid? are clients domain joined?
0
 

Author Comment

by:mspsupport
ID: 39273451
GPO Tick boxHi Jakob.

I fixed this today. There has to be a bug where the "Smart Card or other certificate" reverts back to the the wild card cert whenever the local certificate is auto re-enrolled. (I've tested and confirmed this). This was the first part of fixing them problem.

With regards to the "The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile" issue, this was entirely client related (Unless its a configuration issue i couldn't figure out...)....the fix was to modify group policy...

There is a setting in the group policy for our wireless gpo - that said "Connect to this server". The box was checked but there was nothing selected there. We unticked this box and the error went away on the clients.

All of the clients were domain joined, all of the certificates were valid, the intended purpose of the certificate was correct. I noticed whoever set up the cert however, created it off a domain controller certificate template and not an RAS / IAS template. It is unknown if this caused the issue.

For anyone with similar symptoms in the future, i also noticed that the domain  is a Server 2008 R2 domain, but the group policy for wireless was a Windows XP policy not vista or above.

See the attached file for the box we needed to tick.

Thanks for your assistance again.
0
 

Author Comment

by:mspsupport
ID: 39273456
I've requested that this question be closed as follows:

Accepted answer: 0 points for mspsupport's comment #a39273451

for the following reason:

For anyone looking at this in the future, the questions the respondent asked were valid questions for tracking this issue.
0
 

Author Closing Comment

by:mspsupport
ID: 39273457
As per other comments
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now