NPS Certificate

We have a wireless solution through our building.  Network Policy Server (NPS)is setup on a windows 2008 domain controller server2.  The domain controller gets its certificate from a windows 2008 std domain controller server1 running certificate authority.  over the weekend server2 certificate expired.  I renewed it with the internal CA.  Now I am getting an error that EAP cannot be processed by the server when wifi clients try to authenticate with NPS.  When seeing what certificate EAP uses I get the below error.  I cannot find a way to add the subject name into the certificate and dont recall every having to do this.

Lastly, should NPS be installed on a DOMAIN Controller?  Im finding that it shouldnt

http://morgansimonsen.wordpress.com/2012/01/25/a-certificate-cloud-not-be-found-that-can-be-used-with-this-extensible-authentication-protocol-error-in-ias/
silvercasAsked:
Who is Participating?
 
Craig BeckConnect With a Mentor Commented:
...or just enrol for a computer certificate!

http://technet.microsoft.com/en-us/library/cc730811.aspx

Pay special attention to the caution at the bottom.
0
 
Craig BeckCommented:
First, NPS can be installed on a DC if you need it to be.  You can install it on SBS, so it's fine.  It's recommended to install on a different box for performance and role separation only.

The NPS server can use certificate autoenrolment (and I would recommend it) so you don't ever find that you've forgotten to obtain a new certificate.  However, you need to choose the new certificate in NPS when you've obtained it.

You don't need to add a subject name to the certificate.  Simply enrol for a computer certificate and use that.
0
 
silvercasAuthor Commented:
so i just got this working.  upon reviewing my certificates I found I was missing or lacked one from before.  I just had an active certificate with the certificate template of directory email replication and domain controller authentication.  Once I requested a certificate with the template domain controller, everything came back to life.  reading some posts particularly the below one made me realize this

http://setspn.blogspot.com/2010/12/error-selecting-certificate-when.html?showComment=1313245992613#c778045168030747809


regarding the post above, it appears you do need the subject.  I am unable to associate a certificate for peap without a subject
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Craig BeckCommented:
You 100% don't need to configure a subject name in the certificate when you request a computer certificate as the computer's identity IS the subject and can't be changed.
0
 
silvercasAuthor Commented:
but these werent computer certs they are domain controller certs
0
 
Craig BeckCommented:
It doesn't matter... the identity of the machine is what matters when providing a certificate for NPS.  If the machine NPS is running on is a DC you don't need to enrol for a certificate at all as long as the CA certificate is valid.
0
 
silvercasConnect With a Mentor Author Commented:
if the cert doesnt have a subject I was unable to associate it with peap
0
 
Craig BeckCommented:
My point is that the certificate does have a subject and you can't change it, so you can't specify it.  The certificate subject is the computer identity.
0
 
askincakirConnect With a Mentor Commented:
Hi,

The simplest way of getting right certificate is to install IIS on the machine where is NPS installed. In IIS management/certificates site you can request a certificate from your domain CA and it would be also suitable for your NPS. After getting the certificate from IIS, at the NPS site you can use it with no problems.
0
 
silvercasAuthor Commented:
I appreciate all the feedback.

I read about the idea of installing IIS.  I dont want to venture down this path as this is a DC and already has enough on it.  Configuring another server for NPS is looking more like a reality soon

This morning as I read my domain controller certificate disappeared since a newer domain controller authentication certificate was already in place.  I believe that I can get the domain controller certificate again and expire the domain controller authentication cert.  Any words of caution?  The current NPS server is a Domain Controller.

One last point when I try to request a certificate other than the three I mentioned, they are listed as unavailable.  From reading this is a security setup issue?
0
 
silvercasAuthor Commented:
NPS moved off DC
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.