Solved

NPS Client / Server Certificate Authentication Issue

Posted on 2013-06-23
4
4,632 Views
Last Modified: 2013-06-24
Hi Experts,

I've got a tricky issue with NPS (i believe) that is causing my wireless clients to display a warning when connecting to my wireless network. A brief overview of the setup is as follows.

2 X Server 2008 Domain Controllers
1 X Certificate Authority Server
1 X NPS Server with XYZ connection policy
HP Procurve MSM Controller with various AP's all configured in NPS

We had an issue a few months back whereby under NPS
> Network Policies > "Wireless Policy" > Constraints > Authentication Methods
> Microsoft Smart Card of other Certificate"
...The certificate would be issued to a wildcard certificate. When i changed it back to a local CA issued certificate, clients could authenticate again.

This had only happened once to date so i ignored it...til now.

The same thing has happened again, so i changed it back.

Now, when i connect on a client however, i'm getting the error

"The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile"

I can still connect, but i have too many users on this network that will complain about the extra step. I'm confident i can answer any questions you ask me, i know i mightn't have explained myself enough. I've attached a screen shot to see if there is anything immediate that might be causing the issue

Thanks guys and gals.
0
Comment
Question by:mspsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 22

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 39270348
Would the wildcard certificate match the NPS name in terms of domain name?
Is the Local CA Certificate a RAS/IAS template or computer template, with server authentication as intended purpose?
is the certificate still valid? are clients domain joined?
0
 

Author Comment

by:mspsupport
ID: 39273451
GPO Tick boxHi Jakob.

I fixed this today. There has to be a bug where the "Smart Card or other certificate" reverts back to the the wild card cert whenever the local certificate is auto re-enrolled. (I've tested and confirmed this). This was the first part of fixing them problem.

With regards to the "The Server XYZSERVER is not configured as a valid NPS server to connect to for this profile" issue, this was entirely client related (Unless its a configuration issue i couldn't figure out...)....the fix was to modify group policy...

There is a setting in the group policy for our wireless gpo - that said "Connect to this server". The box was checked but there was nothing selected there. We unticked this box and the error went away on the clients.

All of the clients were domain joined, all of the certificates were valid, the intended purpose of the certificate was correct. I noticed whoever set up the cert however, created it off a domain controller certificate template and not an RAS / IAS template. It is unknown if this caused the issue.

For anyone with similar symptoms in the future, i also noticed that the domain  is a Server 2008 R2 domain, but the group policy for wireless was a Windows XP policy not vista or above.

See the attached file for the box we needed to tick.

Thanks for your assistance again.
0
 

Author Comment

by:mspsupport
ID: 39273456
I've requested that this question be closed as follows:

Accepted answer: 0 points for mspsupport's comment #a39273451

for the following reason:

For anyone looking at this in the future, the questions the respondent asked were valid questions for tracking this issue.
0
 

Author Closing Comment

by:mspsupport
ID: 39273457
As per other comments
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question