NPS server certificates and wireless security

Posted on 2013-12-20
Last Modified: 2013-12-27
I am setting up wireless with certificates but I am having an issue with the "Authentication Mode". If I choose "User re-authentication" under the security tab (second screenshot) it fails with the error "No credentials are available in the security package" but if I choose "Computer Authentication" it works fine.

I don't understand why I can't use "User re-authentication". Here's some screenshots to help show the configuration of NPS on Windows 2008 and the client is Windows 7 with group policy. The error at the end is from the Event Viewer.

NPS Configuration
Client Configuration
Client Configuration
Event Viewer Client error
Question by:MCSF
  • 5
  • 5
LVL 39

Expert Comment

ID: 39732669
I'm wondering why you're even seeing that option.  What I see is on Win7 and 2008R2...
Authentication options
Are you trying to use user certificates or computer?

Author Comment

ID: 39732880
It's Windows 2008 Datacenter. I am using Group Policy directly on that server if that's the difference?

I am not very good with the certificates to be honest. It's a "Client Authentication, Server Authentication" certficate if that helps.

What we had before was PEAP with MSCHAPv2 (instead of smart card of certificate). That worked fine but we are finding people with iDevices using their Windows username and password to logon to the wireless.

What we are trying to do is require a certificate to login. When I changed it to certificate it failed until I changed the Authentication Mode to computer authentication. I am just trying to understand why.

Ultimately we want to require both Windows and iDevices to authenticate with a certificate. I am having a hard time using the correct combination of NPS policies/conditions to catch the Windows devices in one policy and iDevices as another.

The "Windows Version" in conditions would work great but we don't run the NAP software (I am not sure on the name) required to do a Windows version check.
LVL 39

Expert Comment

ID: 39733086
Perhaps that is the wording on 2008 machines, unfortunately I don't have any that I can see for myself.  What other options are available for the authentication mode dropdown?
For certificates, it's a matter of which entity (the user or the computer) the certificate was issued to.  It could be one or the other, or both, or neither.  Since it worked when you changed to computer authentication, then the computer must have a certificate (unless you're allowing some other authentication type through another policy on the NPS).  You can see what certificates are available for a user and the computer by opening the mmc.exe, adding the certificates snap-in.  Add it twice, one time selecting "my user accont", and then again selecting "computer account" > next > then "local computer".  The certificates will be shown in the Personal store.

This is some conjecture here, but I think you'll need to have two network policies, one for the iDevices, and one for Windows.  Set the conditions for each policy so each applies to a group (i.e. one policy applies to "idevice-group" with appropriate members, and the other policy applies to "windows-group").  The iDevice group policy should use "Microsoft: Smart card or other certificate" under Constraints > Authentication Methods (because I don't think they support PEAP-TLS, only EAP-TLS).  The Windows group policy should use "Microsoft: Protected EAP (PEAP)".

Author Comment

ID: 39736421
Good morning, A picture is worth a thousand words. :) I added a screenshot to see the options available for Authentication Mode.

I also checked the version of the 2008 server which is running NPS and Group Policy and from the command line it shows 6.0.6002.

Under certificates "Certificates - Current User" it's empty. Under "Certificates (Local Computer)" there is a certificate. I posted a screenshot below. I think that is the certificate we are using.

Thank you for the tips on creating two groups/policies. I feel like I am on the right track after what you posted.

I currently do have two policies but I still don't know how to get it to work completely because some users will belong to both groups. For example Jane from Auditor's could be both a laptop user and an iDevice user. That's why I was trying to use the windows verion condition as a "net" for Windows devices and all other devices like iDevices (or possibly some other hardware/OS) as a 2nd policy.

What I have been testing with is a piece of software named "iPhone Configuration Utility" which I have been using to load the certificate and also a username and password to the device. The NPS condition is the user credentials for iDevices (which is loaded with the utility)  and the Constraints--Authentication Method is the certificate. I haven't fully tested this yet and I don't know if there's a easier/better way to do this. I was trying to think of some way to flag or group iDevices but my only condition is what group they belong to and that group membership is still based on their user credentials. Which worries for another reason too since we force password changes every 90 days.

I originally had added the Windows version check and it failed and for the life of me I couldn't figure it out until I saw that condition is reliant on the agent being loaded.

Authentication Mode options
(Local Computer) certificate
LVL 39

Accepted Solution

footech earned 500 total points
ID: 39736801
Thanks for the screenshots.
With there only being a computer cert, I think that explains why the user re-authentication option didn't work.  The way I understand it, the way that works is that the machine will be authenticated before a user logs in, then after login the connection should be re-authenticated with user credentials.  Since there isn't a user certificate this fails.

So what I was thinking was to only authenticate the computer, regardless of which user was using it.  So it wouldn't matter if the user was on a Windows device or an Apple device.  This is no problem for domain joined Windows machines with certificate auto-enrollment, but for iDevices it's another matter.  I would probably just create an idevice user, issue a cert to it, then export it to then deploy it to the Apple devices.  Group membership is set in AD.  Passwords won't be used so it won't matter when they expire, but the certificate will have to be renewed when it expires and then pushed out to devices.
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Author Comment

ID: 39737103
Oh, ok, I think I understand for the Windows devices. For the iDevices it really doesn't matter if the password is expired or not (does it matter if the account is disabled even?). As long as the group membership is in place they should work for the NPS condition check. As for Constraints it will be a device certificate "Microsoft: smart card or other certificate". I think I saw in the iPhone Configuration Utility it does have a spot to enter PEAP information. I don't know if it works or not. The main concern will be whether or not the certificate is expired anually. Is that correct? Right now it's not many devices so I think that would work great.

After reading what you wrote I did find this on another site. I will have to give the PEAP a shot because then technically it could be just one policy to cover both Windows and iDevices since they would both use PEAP and a certificate.


Does the iPad support LEAP or PEAP Wi-Fi authentication?

Apple has not mentioned whether or not the iPad will support LEAP or PEAP Wi-Fi authentication. iPhones already have EAP (Extensible Authentication Protocol) support via the iPhone Configuration Utility. Since the iPad will run iPhone OS 3.2, it's likely that support for these will be included.
iPhone users are limited to WEP, WPA, WPA2, WPA Enterprise, and WPA2 Enterprise when connecting to Wi-Fi networks without custom configuration profiles.
The iPhone Configuration Utility supports TLS, LEAP, TTLS, PEAP, and EAP-FAST.
LVL 39

Expert Comment

ID: 39737210
It does matter if the account is enabled.  Apple devices support Peap authentication with MsChapv2, but not with certs (TLS), that's why we have to use EAP-TLS for them, and why we use two different network policies in NPS.  A policy shouldn't have both PEAP and EAP types at the same time.
Correct about the certs expiring annually (though you could issue certs that are valid for a longer period.

Author Comment

ID: 39738079
Ok, that makes sense. I learned several new things from you on this project and I really appreciate all the information and help from you. I think Thursday morning I am going to start putting all the pieces together and start testing. We have half a day off today and of course tomorrow we are closed. I hope you have a great holiday and thank you again! :)
LVL 39

Expert Comment

ID: 39738420
You're welcome.  Have a great Christmas!

Author Closing Comment

ID: 39742849
Footech really went above and beyond to teach me some additional new things. A really great asset. Thank you.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Remote Assistance 5 20
Indexing does not work window corrupt files window 7 25 85
Hyper-V not working after Anniversary Update 7 50
Class object 2 26
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now