Solved

NPS SSL Certificate Issue for Windows 7 Wireless Clients

Posted on 2014-01-22
5
2,639 Views
Last Modified: 2014-02-01
Brand new Windows 7 Enterprise laptops will not connect to 802.1x internal wifi.
I have a GPO that creates the connection profile for the laptops.

I have a DigiCert SSL certificate installed on my NPS server (2008 R2 Enterprise) which is valid until 12/10/2014.  It's selected in the Network Policy under the PEAP (with EAP-MSCHAP v2) configuration.

The certificate was issued by the DigiCert Secure Server CA which is in the Trusted Root Certification Authorities store on the local computer.

As a troubleshooting step I exported the certificate from the NPS server and imported it directly into the Trusted Root CA on one laptop and still was unable to connect.

The event log on the client shows two schannel errors:
Error      1/22/2014 2:37:33 PM      Schannel      36888      The following fatal alert was generated: 45. The internal error state is 552.

Error      1/22/2014 2:37:33 PM      Schannel      36881      The certificate received from the remote server has either expired or is not yet valid. The SSL connection request has failed. The attached data contains the server certificate.

I'm at a complete loss because as far as I can tell the certificate should be trusted.  And as a note the client will not accept clearing the checkbox in the GPO to not check the certificate.

Any ideas?
0
Comment
Question by:sovran
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39801898
Check out the certification path of the certificate.  Perhaps there is an intermediate certificate that needs to be deployed.
Also, if the event contains the cert, can you verify that it is the cert that you think it is?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39805231
I think you need to uncheck the 'Validate Server Certificate' option in the PEAP properties page.  You'll find this in the GPO you configured.
0
 

Accepted Solution

by:
sovran earned 0 total points
ID: 39813627
I was able to determine root cause of the RADIUS issues with the new Windows 7 machines.  It relates to these MS KB's (http://support.microsoft.com/kb/295663) & (http://support.microsoft.com/kb/2518158) which both show that the builtin Windows wifi supplicant does not automatically trust public CA's for NT authentication.

By running the following command (certutil -dspublish -f C:\digi_global_root_ca.cer NTAuthCA) I was able to set AD to publish the Digicert Root CA as a trusted CA for NT authentication and the three laptops that I've been testing with have connected successfully ever since.
0
 
LVL 40

Expert Comment

by:footech
ID: 39813877
Thanks for posting back the solution you found.
0
 

Author Closing Comment

by:sovran
ID: 39826123
Because this fixed the issue without turning off certificate validation.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question