Internal wireless network clients rejected due to invalid server certificate

All of a sudden my clients could not connect to our internal wireless network.  The wireless configuration authenticates the server certificate so when I uncheck this under Wireless Properties, Security, Settings - "Valid Server Certificate" - they connect fine.
I discovered a 36881 event as folows "The certificate received from the remote server has either expired or is not yet valid. The SSL connection request has failed. The attached data contains the server certificate."

When I check the Certifcate Authority on my server, I do not see where this expired certificate is, in fact I do not even see where my certificates are!

Any help would be greatly received.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph NyaemaIT ConsultantCommented:
What AP are you using (Name and model)?  Also what date and time is set on the AP (time differenct with DC/CA?)?
fuzzyfreakAuthor Commented:
Thanks for your response but this does not relate to the AP as it is trying to authenticate with a server certificate.
I appear to have at least discovered the outdated certificate on my machine through MMC\certificates\computer account\intermediate...\certificates but on restarting my computer, this does not appear to have updated - do I need to create a new certificate on the server?
fuzzyfreakAuthor Commented:
I am getting rather confused by this.  Where is it looking for a valid certificate?  I have tried exporting a cert from my server - a few exist and they are all valid. On import I have tried automatic and trusted root certification authority, but Group Policy should install the valid one anyway, however, so long as my wireless connection validates the certificate.....hmmm, now it won't work at all.
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

fuzzyfreakAuthor Commented:
Joseph NyaemaIT ConsultantCommented:
You are not giving much detail, so I will work with assumptions.

For one, you are not going to the right folder to see the computer certificates on your server.  Should be under
Certificates (Local Computer)\Personal\Certificates

I assume the server you are looking at is your NPS Server.
Open the NPS Console and navigate to
NPS\Policies\Connection Request Policies
Right Click on NAP 802.1x (Wireless) or whatever name you have given the policy and click on properties.
Click on the Settings Tab then select Authentication Methods
Then select the EAP type your using (Microsoft: Protected EAP (PEAP) etc) and click Edit
From here you can view or select the SSL Certificate you want to use

With the two consoles you can view the expired certifcates, renew and select one you want to use.
fuzzyfreakAuthor Commented:
Thanks for the response and thanks for pointing out the location of my certificates.  They are all still in date, none have expired.
Your assumption is correct, this is my NPS server but I have been working on NPS\Policies\Network Policies - I am not sure how this differs from the Connection Request Policies but even making changes to that makes no difference.  I have now tried every possible combination yet I cannot connect.
I will post some further information which might help diagnose the issue.
fuzzyfreakAuthor Commented:
It seemed that all of a sudden, we could not connect to our 5Ghz network internal network.

I checked and assumed this was because of a Windows Server

Update referring to SHA512 (

I uninstalled this update and rebooted the server but this

did not help.

Next I noticed that because NPS authenticates with

certificates, the certificate on my machine was out of date, I deleted this and

manually reimported the certificate (thought his updates on reboot anyway via

GP) but this did not help.

I discovered an option where I could uncheck the

server certificate validation – at first this worked and got me on but this has

since stopped working.

I then made a copy of the policy and firstly removed the

constraints but this still did not connect.

So I added in all authentication methods but this

makes no difference –

I get the following Event on the server –

security: failure - 2014/07/16 13:50:06 -

Microsoft-Windows-Security-Auditing (6273) - n/a

 "Network Policy Server denied access to a user.

Contact the Network Policy Server

administrator for more information. User: Security ID: %1

Account Name: %2 Account

Domain: %3 Fully Qualified Account Name: %4 Client Machine:

Security ID: %5

Account Name: %6 Fully Qualified Account Name: %7

OS-Version: %8 Called Station

Identifier: %9 Calling Station Identifier: %10 NAS: NAS IPv4

Address: %11 NAS

IPv6 Address: %12 NAS Identifier: %13 NAS Port-Type: %14 NAS

Port: %15 RADIUS

Client: Client Friendly Name: %16 Client IP Address: %17

Authentication Details:

Connection Request Policy Name: %18 Network Policy Name: %19

Authentication Provider:

%20 Authentication Server: %21 Authentication Type: %22 EAP

Type: %23

Account Session Identifier: %24 Logging Results: %27 Reason

Code: %25 Reason: %26"

And the following in the NPS log –




data_type="1">311 1 07/15/2014 17:11:01


data_type="1">Virtual Private Network (VPN)





data_type="1">Secure Wireless








This differs depending on the change of authentication but

in a nutshell NPS is denying access and I can’t figure out why.
fuzzyfreakAuthor Commented:
This issue was down to incorrect certificate binding on my NPS server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fuzzyfreakAuthor Commented:
I had to contact MS in the end.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.