AddTrust External CA Root warning

I recently deployed a wireless solution and want to to use 802.1x. Everything is working between the wifi controller and the RADIUS server. When my Window 7 clients connects to the wifi I am prompted with a warning.

The credentials provided by the server could not be validated. We recommend you terminate...

Radius Server:           xxx
Root CA:                    AddTrust External CA Root

The server "xxx" presented a valid certificate issued by "AddTrust External CA Root", but "AddTrust External CA Root" is not configured as a valid trust anchor for this profile.


If I select connect everything works fine and I can authenticate and connect to the corporate WIFI. Please see attached as well.

Warning
Thank you
lebz29Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Giovanni HewardCommented:
Go to Control Panel > Network and Internet > Manage Wireless Networks.

    Open the wireless network. Or, click the "Add" button to create a new network, then open it.

    The Wireless Network Properties window appears. Click the Security tab.

    Under "Choose a network authentication method", select "Microsoft: Smart Card or other certificate". I assume this is already selected.

    Click the "Settings" button.

    The "Smart Card or other Certificate Properties" window appears.

    Here is the answer. Under the "Trusted Root Certification Authorities" list, you have to manually select the Root CA of your company. By default, these are all blank. That is why the warning message appears the first time if you do not select your company's Root CA. If you connect despite the warning, then your company's Root CA is now selected, and you no longer get the warning on subsequent connections. So, to avoid the warning, just select this box when you set up the network, before you connect for the first time.

    If you do not see your company's Root CA here, that is likely due to the fact that by default, double clicking your certificate to install it probably puts it under the "Intermediate Certification Authorities" tab. You need to select the "Trusted Root Certification Authorities" tab instead. You can see where certificates go under: Internet Explorer > Internet Options > Content > Certificates
0
becraigCommented:
The cert issuer appears to not be trusted by your computer:
See below
http://support.microsoft.com/kb/2518158


You need to add that cert to your local store:

Export the certificate of the CA that issued the certificate to the authentication server to a file "AddTrust External CA Root.cer".
Copy the file to the workgroup machine and then run the following command from an elevated Command Prompt:

certutil -enterprise -addstore NTAuth "AddTrust External CA Root.cer"
0
lebz29Author Commented:
The cert was issue by Comdo for a internal server.

They sent 3 files

1) servername.crt
2) COMODOHigh-AssuranceSecureServerCA.crt
3) AddTrustExternalCARoot.crt

For the authentication I am using EAP (PEAP)
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

becraigCommented:
certutil -enterprise -addstore NTAuth AddTrustExternalCARoot.crt

if you continue to have issues you may also have to add the COMODOxx cert to your intermediate cert store.


certutil -addstore -f CA pathto:\COMODOHigh-AssuranceSecureServerCA.crt
certutil -addstore -f ROOT  AddTrustExternalCARoot.crt
0
lebz29Author Commented:
Thank you. I tried the above on my local computer and I am still getting the popup. Maybe Comodo was a bad choice for a SSL cert?
0
becraigCommented:
Please take a look at the below link:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/33a32bbd-c8a4-4063-ba25-db7da2e8272b/nps-radius-peap-using-3rd-party-certificate

As the post indicates a reboot from the clients while connected to the domain is required to pick up the change.

This resolved the 'not configured as a valid trust anchor for this profile' error for all Windows 7 machines once they had been rebooted whilst connected to the domain to pick up the change.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lebz29Author Commented:
Bingo! Ran the following on my DC

certutil -dspublish -f COMODOHigh-AssuranceSecureServerCA.crt NTAuthCA

Thank you all
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.