AddTrust External CA Root warning

Posted on 2013-09-11
Medium Priority
Last Modified: 2013-12-09
I recently deployed a wireless solution and want to to use 802.1x. Everything is working between the wifi controller and the RADIUS server. When my Window 7 clients connects to the wifi I am prompted with a warning.

The credentials provided by the server could not be validated. We recommend you terminate...

Radius Server:           xxx
Root CA:                    AddTrust External CA Root

The server "xxx" presented a valid certificate issued by "AddTrust External CA Root", but "AddTrust External CA Root" is not configured as a valid trust anchor for this profile.

If I select connect everything works fine and I can authenticate and connect to the corporate WIFI. Please see attached as well.

Thank you
Question by:lebz29
  • 3
  • 3
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39483550
Go to Control Panel > Network and Internet > Manage Wireless Networks.

    Open the wireless network. Or, click the "Add" button to create a new network, then open it.

    The Wireless Network Properties window appears. Click the Security tab.

    Under "Choose a network authentication method", select "Microsoft: Smart Card or other certificate". I assume this is already selected.

    Click the "Settings" button.

    The "Smart Card or other Certificate Properties" window appears.

    Here is the answer. Under the "Trusted Root Certification Authorities" list, you have to manually select the Root CA of your company. By default, these are all blank. That is why the warning message appears the first time if you do not select your company's Root CA. If you connect despite the warning, then your company's Root CA is now selected, and you no longer get the warning on subsequent connections. So, to avoid the warning, just select this box when you set up the network, before you connect for the first time.

    If you do not see your company's Root CA here, that is likely due to the fact that by default, double clicking your certificate to install it probably puts it under the "Intermediate Certification Authorities" tab. You need to select the "Trusted Root Certification Authorities" tab instead. You can see where certificates go under: Internet Explorer > Internet Options > Content > Certificates
LVL 29

Expert Comment

ID: 39483551
The cert issuer appears to not be trusted by your computer:
See below

You need to add that cert to your local store:

Export the certificate of the CA that issued the certificate to the authentication server to a file "AddTrust External CA Root.cer".
Copy the file to the workgroup machine and then run the following command from an elevated Command Prompt:

certutil -enterprise -addstore NTAuth "AddTrust External CA Root.cer"

Author Comment

ID: 39483766
The cert was issue by Comdo for a internal server.

They sent 3 files

1) servername.crt
2) COMODOHigh-AssuranceSecureServerCA.crt
3) AddTrustExternalCARoot.crt

For the authentication I am using EAP (PEAP)
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

LVL 29

Expert Comment

ID: 39483883
certutil -enterprise -addstore NTAuth AddTrustExternalCARoot.crt

if you continue to have issues you may also have to add the COMODOxx cert to your intermediate cert store.

certutil -addstore -f CA pathto:\COMODOHigh-AssuranceSecureServerCA.crt
certutil -addstore -f ROOT  AddTrustExternalCARoot.crt

Author Comment

ID: 39484531
Thank you. I tried the above on my local computer and I am still getting the popup. Maybe Comodo was a bad choice for a SSL cert?
LVL 29

Accepted Solution

becraig earned 2000 total points
ID: 39484610
Please take a look at the below link:

As the post indicates a reboot from the clients while connected to the domain is required to pick up the change.

This resolved the 'not configured as a valid trust anchor for this profile' error for all Windows 7 machines once they had been rebooted whilst connected to the domain to pick up the change.

Author Comment

ID: 39485435
Bingo! Ran the following on my DC

certutil -dspublish -f COMODOHigh-AssuranceSecureServerCA.crt NTAuthCA

Thank you all

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question