Internal wireless network clients rejected due to invalid server certificate

Posted on 2014-07-15
Last Modified: 2014-07-28
All of a sudden my clients could not connect to our internal wireless network.  The wireless configuration authenticates the server certificate so when I uncheck this under Wireless Properties, Security, Settings - "Valid Server Certificate" - they connect fine.
I discovered a 36881 event as folows "The certificate received from the remote server has either expired or is not yet valid. The SSL connection request has failed. The attached data contains the server certificate."

When I check the Certifcate Authority on my server, I do not see where this expired certificate is, in fact I do not even see where my certificates are!

Any help would be greatly received.
Question by:fuzzyfreak
    LVL 16

    Expert Comment

    What AP are you using (Name and model)?  Also what date and time is set on the AP (time differenct with DC/CA?)?
    LVL 4

    Author Comment

    Thanks for your response but this does not relate to the AP as it is trying to authenticate with a server certificate.
    I appear to have at least discovered the outdated certificate on my machine through MMC\certificates\computer account\intermediate...\certificates but on restarting my computer, this does not appear to have updated - do I need to create a new certificate on the server?
    LVL 4

    Author Comment

    I am getting rather confused by this.  Where is it looking for a valid certificate?  I have tried exporting a cert from my server - a few exist and they are all valid. On import I have tried automatic and trusted root certification authority, but Group Policy should install the valid one anyway, however, so long as my wireless connection validates the certificate.....hmmm, now it won't work at all.
    LVL 4

    Author Comment

    LVL 16

    Expert Comment

    You are not giving much detail, so I will work with assumptions.

    For one, you are not going to the right folder to see the computer certificates on your server.  Should be under
    Certificates (Local Computer)\Personal\Certificates

    I assume the server you are looking at is your NPS Server.
    Open the NPS Console and navigate to
    NPS\Policies\Connection Request Policies
    Right Click on NAP 802.1x (Wireless) or whatever name you have given the policy and click on properties.
    Click on the Settings Tab then select Authentication Methods
    Then select the EAP type your using (Microsoft: Protected EAP (PEAP) etc) and click Edit
    From here you can view or select the SSL Certificate you want to use

    With the two consoles you can view the expired certifcates, renew and select one you want to use.
    LVL 4

    Author Comment

    Thanks for the response and thanks for pointing out the location of my certificates.  They are all still in date, none have expired.
    Your assumption is correct, this is my NPS server but I have been working on NPS\Policies\Network Policies - I am not sure how this differs from the Connection Request Policies but even making changes to that makes no difference.  I have now tried every possible combination yet I cannot connect.
    I will post some further information which might help diagnose the issue.
    LVL 4

    Author Comment

    It seemed that all of a sudden, we could not connect to our 5Ghz network internal network.

    I checked and assumed this was because of a Windows Server

    Update referring to SHA512 (

    I uninstalled this update and rebooted the server but this

    did not help.

    Next I noticed that because NPS authenticates with

    certificates, the certificate on my machine was out of date, I deleted this and

    manually reimported the certificate (thought his updates on reboot anyway via

    GP) but this did not help.

    I discovered an option where I could uncheck the

    server certificate validation – at first this worked and got me on but this has

    since stopped working.

    I then made a copy of the policy and firstly removed the

    constraints but this still did not connect.

    So I added in all authentication methods but this

    makes no difference –

    I get the following Event on the server –

    security: failure - 2014/07/16 13:50:06 -

    Microsoft-Windows-Security-Auditing (6273) - n/a

     "Network Policy Server denied access to a user.

    Contact the Network Policy Server

    administrator for more information. User: Security ID: %1

    Account Name: %2 Account

    Domain: %3 Fully Qualified Account Name: %4 Client Machine:

    Security ID: %5

    Account Name: %6 Fully Qualified Account Name: %7

    OS-Version: %8 Called Station

    Identifier: %9 Calling Station Identifier: %10 NAS: NAS IPv4

    Address: %11 NAS

    IPv6 Address: %12 NAS Identifier: %13 NAS Port-Type: %14 NAS

    Port: %15 RADIUS

    Client: Client Friendly Name: %16 Client IP Address: %17

    Authentication Details:

    Connection Request Policy Name: %18 Network Policy Name: %19

    Authentication Provider:

    %20 Authentication Server: %21 Authentication Type: %22 EAP

    Type: %23

    Account Session Identifier: %24 Logging Results: %27 Reason

    Code: %25 Reason: %26"

    And the following in the NPS log –




    data_type="1">311 1 07/15/2014 17:11:01


    data_type="1">Virtual Private Network (VPN)





    data_type="1">Secure Wireless








    This differs depending on the change of authentication but

    in a nutshell NPS is denying access and I can’t figure out why.
    LVL 4

    Accepted Solution

    This issue was down to incorrect certificate binding on my NPS server.
    LVL 4

    Author Closing Comment

    I had to contact MS in the end.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now