Answered by:
NPS, Public Cert and Multiple Servers

Question
-
hi,
we have two nps proxy and 4 nps servers behind them
the proxies are servicing many WIFI AP's for dynamic vlan using dot1x and authentication using PEAP/MSCHAPv2
i found some related posts but none of them was totally completed
the main question is : has anyone bought public cert for NPS which is working ! i chatted with godaddy and geotrust and thawte but they never gave me a total solution or a definite YES or NO
they just say if it is that way or this way .. yes we can otherwise no so i cannot reach a final decision
and after that the question is : can i install one cert on all nps servers ?
tx all
Wednesday, January 9, 2013 6:20 AM
Answers
-
My problem is solved
i bought valid public certs from geotrust and installed it on my servers
all devices are working well
- Marked as answer by Mo.Gan Monday, April 29, 2013 8:47 AM
Monday, April 29, 2013 8:47 AM
All replies
-
Hi,
The SAN (subject alternate name) must be the FQDN of the NPS server. There is a previous forum thread where someone tried purchasing a single certificate with several NPS names in the SAN. This did not seem to work, whereas using a single NPS name in the SAN did work.
I recommended this topic in that thread: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx.
I hope this helps,
-Greg
Wednesday, January 9, 2013 8:44 PM -
Hi,
The SAN (subject alternate name) must be the FQDN of the NPS server. There is a previous forum thread where someone tried purchasing a single certificate with several NPS names in the SAN. This did not seem to work, whereas using a single NPS name in the SAN did work.
I recommended this topic in that thread: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx.
I hope this helps,
-Greg
Thanks Greg
u know this may seem some kind of business and sales question
as a matter of fact, i wonder if anyone has bought a public cert for its nps server and it has worked !? especially if he has installed it on multiple server
unfortunately godaddy, thawte and .. do not give me a direct and sure YES, as i said they just say it should work as long is it is x509 and ...
so let's make my questions straight
1- has anybody successfully purchased and installed certificates from a public cert provider (and from who) for nps server ?
2- has this worked on multiple servers ? or as the server name should be there, we have to buy for single cert for our four nps servers ? (we have two nps proxy each one pointing to two servers in two sites)
thanks again
Thursday, January 10, 2013 4:51 AM -
Hi,
I have not used a public cert myself. Someone else might reply here saying they have used one.
The thread that I linked does have someone who used a public certificate and it worked, but they had to use a single NPS name in the SAN instead of multiple server names. I hope this is clear.
-Greg
Thursday, January 10, 2013 4:57 AM -
Hi,
I have not used a public cert myself. Someone else might reply here saying they have used one.
The thread that I linked does have someone who used a public certificate and it worked, but they had to use a single NPS name in the SAN instead of multiple server names. I hope this is clear.
-Greg
ok
seems there is no way except purchasing and testing
i will go through godaddy and hope they support a computer certificate for encipherment and digital signature for a .1x PEAP MSCHAPv2 on nps servers :|
Thursday, January 10, 2013 5:07 AM -
Ok
trouble here
i bought it from godaddy and put the cert on the server
a new laptop is entered to the network and while trying to coonect it fails
the certificate (godaddy ..) is identified by the server but nps server log says :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: domain\testuser
Account Name: testuser
Account Domain: domain
Fully Qualified Account Name: domain\testuser
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-20-A6-B4-2E-C4:GBG
Calling Station Identifier: 64-27-37-B8-B4-17
NAS:
NAS IPv4 Address: 172.20.20.103
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: Automative-Proxy
Client IP Address: 172.21.0.68
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Wifi-Vlan400-Lan-Wihout-Internet
Authentication Provider: Windows
Authentication Server: DC2.domain.net
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 262
Reason: The supplied message is incomplete. The signature was not verified.
Monday, January 14, 2013 8:20 AM -
problem is solved by changing eap type to mschap-v2
windows 7 and 8 is ok but problem still exists with windows xp and more important than that windows mobile phones !
1. Windows XP Clients cannot connect to the 802.1x network with PEAP (EAP-MSCHAP-V2 EAP Type). And I have the “The client and server cannot communicate, because they do not possess a common algorithm.” Error message
2. Windows Mobile Devices also cannot connect to the network and they receive an error “Cannot log on to the wireless network. This network requires a personal certificate to positively identify you” Error messageany help is greatly appreciated specially on mobile devices with windows mobile OS
Tuesday, January 15, 2013 4:46 AM -
problem is solved by changing eap type to mschap-v2
windows 7 and 8 is ok but problem still exists with windows xp and more important than that windows mobile phones !
1. Windows XP Clients cannot connect to the 802.1x network with PEAP (EAP-MSCHAP-V2 EAP Type). And I have the “The client and server cannot communicate, because they do not possess a common algorithm.” Error message
2. Windows Mobile Devices also cannot connect to the network and they receive an error “Cannot log on to the wireless network. This network requires a personal certificate to positively identify you” Error messageany help is greatly appreciated specially on mobile devices with windows mobile OS
Hi M,
Your problem is still the Cert. I've been through a few months of this pain myself. I had the exact same problem with XP clients, but the reason is that XP is unforgiving when it comes to incorrect certs, where as 7, 8 and windows phone accept the bad cert. When you get the cert right it will work fine for XP too. I use Comoodo poublic certs. You have to be very careful when generating the cert request from NPS, and ensure Key usage is "Digital signature" and Extended have "server authentication" and "key encipherment" selected. For Cryptographic service provider select "Microsoft Strong Crypographic Provider RSA"
Monday, April 29, 2013 8:33 AM -
My problem is solved
i bought valid public certs from geotrust and installed it on my servers
all devices are working well
- Marked as answer by Mo.Gan Monday, April 29, 2013 8:47 AM
Monday, April 29, 2013 8:47 AM