none
WiFi certificate issues on random Win10 machines RRS feed

  • Question

  • Hi all :)

    I am having a strange issue in our company when deploying Win10 user computers.

    EXAMPLE: I have 3 computers in front of me, all same model, HP Elitebook 820 G3. This model was used before for Win7 without any issues.

    After the Win10 is deployed (SCCM), some of the computers connect to our corporate WiFi and some don't. The computers that do not connect have Schannel error in event log saying the certificate is from an untrusted authority.

    This is completely random, which means some of the Win10 machines work fine and all of Win7 machines work fine. Also there have been no recent changes to the environment.

    Drivers are fine, certificate is present on all computers (pushed via GP), computer connect to any other WiFi just fine.

    Using PEAP. Have tried the workaround from "Windows 10 devices can't connect to an 802.1X environment" but didn't work.

    Please any suggestions? getting desperate here.

    (sorry cannot post pics or links yet - new acc)

    Thank you

    Michal


    Tuesday, November 28, 2017 11:35 AM

Answers

  • Issue resolved!

    We had group policy set to Validate Server Certificate BUT Win7 machines had this option un-ticked when I checked preferences for that particular SSID - maybe a GPO misconfig somewhere.

    Apparently, the GP was applying only to Win10 machines, and so the option was ticked after joining the computer to our domain.

    We had to deploy a separate wireless GPO for Win10 machines which tells them not to validate server certificate.

    Funny enough, we got hold of the person setting this up and were told our WiFi is not meant to be using certificates, just domain credentials.

    Thanks

    Michal

    Wednesday, December 6, 2017 12:49 PM

All replies

  • Hi Michal,

    If the client is a domain member, it will automatically trust the Root CA in the domain. You don't need to do anything at all with the client computer unless it is in a workgroup. This is the default behavior.

    Try to rejoin domain to check.

    Check the link below about the information provided by Greg Lindsay.

    https://social.technet.microsoft.com/Forums/en-US/b770fcf6-d1e9-4aac-9005-62cb5ff6d485/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted?forum=winserverNAP

    Then you could check the connectivity issue with a single client by using the steps in the link below.

    https://www.networkworld.com/article/2160056/security/tips-for-troubleshooting-802-1x-connections.html

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Also I consider that if the user profile or Network profile has something wrong in these computers.

    Check if you could use the user account that work properly in problem computer.

    Also set up the connection manually to check.

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, November 29, 2017 9:06 AM
    Moderator
  • Hi Carl,

    Thank you for your advice.

    I have gone over some of the steps you provided, until I realized our Cisco ACS is missing some of the patches which is most likely the cause.

    We'll be updating over the weekend and see if that resolved the issue.I will post my findings next week then.

    Thank you

    Michal

    Friday, December 1, 2017 3:52 PM
  • Hi Michal,

    It's Ok.

    If any further help needed, please feel free to post back.

    Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 5, 2017 1:45 PM
    Moderator
  • Issue resolved!

    We had group policy set to Validate Server Certificate BUT Win7 machines had this option un-ticked when I checked preferences for that particular SSID - maybe a GPO misconfig somewhere.

    Apparently, the GP was applying only to Win10 machines, and so the option was ticked after joining the computer to our domain.

    We had to deploy a separate wireless GPO for Win10 machines which tells them not to validate server certificate.

    Funny enough, we got hold of the person setting this up and were told our WiFi is not meant to be using certificates, just domain credentials.

    Thanks

    Michal

    Wednesday, December 6, 2017 12:49 PM
  • Hi Michal,

    Thank you for your update.

    Glad to hear that you have solved the issue and thank you for sharing it here.

     it will be helpful to other community members who have same questions.

    If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.

    If any further help needed, please feel free to post back.

    Regards,

    Carl


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 6, 2017 1:05 PM
    Moderator