none
Add an internal CA as a trusted or a trust anchor through GPO

    Question

  • I'm trying to implement EAP-TLS and I have an internal CA installed, NPS installed , radius client APs installed and certs auto enrolled through GPO for both users and PCs.

    When I go to connect it throws the following error:

    "The credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to the security risk by a possible rogue server." 

    It lists my internal CA and says its a legitimate cert but its "not configured as a valid trust anchor for this profile."

    Can I push through a GPO a policy to trust my internal CA so it doesn't throw this error to users? I don't want my users ignoring errors and warnings like this in the future.

    Thursday, August 13, 2015 10:11 PM

Answers

  • Hi Serif,

    According to the you error, couldn't check out the main reason about the issue. Are there corresponding Events on the Server? What EAP method are you trying to use?  

    You may also refer to the similar thread below.

    For the certificate validation prompt, check these setting:

    VPN connection properties ->Security tab -> make sure your have selected "Use Extensible Authentication Protocol (EAP)" and that "Microsoft: Protected EAP (PEAP) (encryption enabled)" is chosen in the drop-down menu and then click on the "Properties" button.

    If "Validate server certificate" is selected make sure "Root CA" is selected under "Trusted Root Certification Authorities".

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5ad621a2-41c6-494f-8057-96180c329d37/nap-vpn-errors?forum=winserverNAP

    Hope it is helpful.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 20, 2015 5:06 AM
    Moderator

All replies

  • Yes you can use policy.  Export the cert from your CA and import it to the correct store (Trusted Root more than likely) in your GPO.

    https://technet.microsoft.com/en-us/library/cc772491.aspx?f=255&MSPPError=-2147217396


    Related TechNet forum: https://social.technet.microsoft.com/Forums/windowsserver/en-US/33a32bbd-c8a4-4063-ba25-db7da2e8272b/nps-radius-peap-using-3rd-party-certificate
    Friday, August 14, 2015 12:19 PM
  • After reviewing the following article: https://social.technet.microsoft.com/Forums/windowsserver/en-US/33a32bbd-c8a4-4063-ba25-db7da2e8272b/nps-radius-peap-using-3rd-party-certificate

    I read that Windows CAs automatically publish their CA certificates to this store so I'm not sure why I am receiving this error.


    Friday, August 14, 2015 5:29 PM
  • Hi Serif77,

    Thanks for your post.

    As far as I know, the internal CA still needs to push these certificates in the trusted root certificate store on client machines by GPO. As you said, Windows CAs automatically publish their CA certificates to this store, but the process still could be in problem. In your scenario, the error shows the problem when automatically publishing. Or maybe someone moves the CA.  Please wait a while or reboot to have a try. You could also use Group Policy to distribute the certificates to the clients.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 17, 2015 9:48 AM
    Moderator
  • I have exported a cert from my interal CA and imported it into the GPOs "Trusted Root Certificate Authorities" section. Still get the warning on the Windows machine when trying to connect wirelessly. 
    Wednesday, August 19, 2015 3:44 PM
  • Hi Serif,

    According to the you error, couldn't check out the main reason about the issue. Are there corresponding Events on the Server? What EAP method are you trying to use?  

    You may also refer to the similar thread below.

    For the certificate validation prompt, check these setting:

    VPN connection properties ->Security tab -> make sure your have selected "Use Extensible Authentication Protocol (EAP)" and that "Microsoft: Protected EAP (PEAP) (encryption enabled)" is chosen in the drop-down menu and then click on the "Properties" button.

    If "Validate server certificate" is selected make sure "Root CA" is selected under "Trusted Root Certification Authorities".

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5ad621a2-41c6-494f-8057-96180c329d37/nap-vpn-errors?forum=winserverNAP

    Hope it is helpful.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 20, 2015 5:06 AM
    Moderator