[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

NPS Certificate

Posted on 2013-12-02
11
Medium Priority
?
1,577 Views
Last Modified: 2013-12-18
We have a wireless solution through our building.  Network Policy Server (NPS)is setup on a windows 2008 domain controller server2.  The domain controller gets its certificate from a windows 2008 std domain controller server1 running certificate authority.  over the weekend server2 certificate expired.  I renewed it with the internal CA.  Now I am getting an error that EAP cannot be processed by the server when wifi clients try to authenticate with NPS.  When seeing what certificate EAP uses I get the below error.  I cannot find a way to add the subject name into the certificate and dont recall every having to do this.

Lastly, should NPS be installed on a DOMAIN Controller?  Im finding that it shouldnt

http://morgansimonsen.wordpress.com/2012/01/25/a-certificate-cloud-not-be-found-that-can-be-used-with-this-extensible-authentication-protocol-error-in-ias/
0
Comment
Question by:silvercas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39690744
First, NPS can be installed on a DC if you need it to be.  You can install it on SBS, so it's fine.  It's recommended to install on a different box for performance and role separation only.

The NPS server can use certificate autoenrolment (and I would recommend it) so you don't ever find that you've forgotten to obtain a new certificate.  However, you need to choose the new certificate in NPS when you've obtained it.

You don't need to add a subject name to the certificate.  Simply enrol for a computer certificate and use that.
0
 

Author Comment

by:silvercas
ID: 39690832
so i just got this working.  upon reviewing my certificates I found I was missing or lacked one from before.  I just had an active certificate with the certificate template of directory email replication and domain controller authentication.  Once I requested a certificate with the template domain controller, everything came back to life.  reading some posts particularly the below one made me realize this

http://setspn.blogspot.com/2010/12/error-selecting-certificate-when.html?showComment=1313245992613#c778045168030747809


regarding the post above, it appears you do need the subject.  I am unable to associate a certificate for peap without a subject
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39690870
You 100% don't need to configure a subject name in the certificate when you request a computer certificate as the computer's identity IS the subject and can't be changed.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:silvercas
ID: 39690879
but these werent computer certs they are domain controller certs
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39690905
It doesn't matter... the identity of the machine is what matters when providing a certificate for NPS.  If the machine NPS is running on is a DC you don't need to enrol for a certificate at all as long as the CA certificate is valid.
0
 

Assisted Solution

by:silvercas
silvercas earned 0 total points
ID: 39690946
if the cert doesnt have a subject I was unable to associate it with peap
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39690961
My point is that the certificate does have a subject and you can't change it, so you can't specify it.  The certificate subject is the computer identity.
0
 
LVL 4

Assisted Solution

by:askincakir
askincakir earned 1000 total points
ID: 39691881
Hi,

The simplest way of getting right certificate is to install IIS on the machine where is NPS installed. In IIS management/certificates site you can request a certificate from your domain CA and it would be also suitable for your NPS. After getting the certificate from IIS, at the NPS site you can use it with no problems.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 1000 total points
ID: 39692356
...or just enrol for a computer certificate!

http://technet.microsoft.com/en-us/library/cc730811.aspx

Pay special attention to the caution at the bottom.
0
 

Author Comment

by:silvercas
ID: 39692413
I appreciate all the feedback.

I read about the idea of installing IIS.  I dont want to venture down this path as this is a DC and already has enough on it.  Configuring another server for NPS is looking more like a reality soon

This morning as I read my domain controller certificate disappeared since a newer domain controller authentication certificate was already in place.  I believe that I can get the domain controller certificate again and expire the domain controller authentication cert.  Any words of caution?  The current NPS server is a Domain Controller.

One last point when I try to request a certificate other than the three I mentioned, they are listed as unavailable.  From reading this is a security setup issue?
0
 

Author Closing Comment

by:silvercas
ID: 39726173
NPS moved off DC
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question