NPS, Public Cert and Multiple Servers

All replies

• 

  

  1

  Sign in to vote

  Hi,

  The SAN (subject alternate name) must be the FQDN of the NPS server. There is a previous forum thread where someone tried purchasing a single certificate with several NPS names in the SAN. This did not seem to work, whereas using a single NPS name in the SAN did work.

  I recommended this topic in that thread: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx.

  I hope this helps,

  -Greg

  .

  Wednesday, January 9, 2013 8:44 PM
• 

  

  0

  Sign in to vote

  Hi,

  The SAN (subject alternate name) must be the FQDN of the NPS server. There is a previous forum thread where someone tried purchasing a single certificate with several NPS names in the SAN. This did not seem to work, whereas using a single NPS name in the SAN did work.

  I recommended this topic in that thread: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx.

  I hope this helps,

  -Greg

  .

  Thanks Greg

  u know this may seem some kind of business and sales question

  as a matter of fact, i wonder if anyone has bought a public cert for its nps server and it has worked !? especially if he has installed it on multiple server

  unfortunately godaddy, thawte and .. do not give me a direct and sure YES, as i said they just say it should work as long is it is x509 and ...

  so let's make my questions straight

  1- has anybody successfully purchased and installed certificates from a public cert provider (and from who) for nps server ?

  2- has this worked on multiple servers ? or as the server name should be there, we have to buy for single cert for our four nps servers ? (we have two nps proxy each one pointing to two servers in two sites)

  thanks again

  Thursday, January 10, 2013 4:51 AM
• 

  

  0

  Sign in to vote

  Hi,

  I have not used a public cert myself. Someone else might reply here saying they have used one.

  The thread that I linked does have someone who used a public certificate and it worked, but they had to use a single NPS name in the SAN instead of multiple server names. I hope this is clear.

  -Greg

  Thursday, January 10, 2013 4:57 AM
• 

  

  0

  Sign in to vote

  Hi,

  I have not used a public cert myself. Someone else might reply here saying they have used one.

  The thread that I linked does have someone who used a public certificate and it worked, but they had to use a single NPS name in the SAN instead of multiple server names. I hope this is clear.

  -Greg

  ok

  seems there is no way except purchasing and testing

  i will go through godaddy and hope they support a computer certificate for encipherment and digital signature for a .1x PEAP MSCHAPv2 on nps servers :|

  Thursday, January 10, 2013 5:07 AM
• 

  

  0

  Sign in to vote

  Ok

  trouble here

  i bought it from godaddy and put the cert on the server

  a new laptop is entered to the network and while trying to coonect it fails

  the certificate (godaddy ..) is identified by the server but nps server log says :

  Network Policy Server denied access to a user.
  
  Contact the Network Policy Server administrator for more information.
  
  User:
                  Security ID:                                            domain\testuser
                  Account Name:                                     testuser
                  Account Domain:                                 domain
                  Fully Qualified Account Name:          domain\testuser
  
  Client Machine:
                  Security ID:                                            NULL SID
                  Account Name:                                     -
                  Fully Qualified Account Name:          -
                  OS-Version:                                           -
                  Called Station Identifier:                      00-20-A6-B4-2E-C4:GBG
                  Calling Station Identifier:                     64-27-37-B8-B4-17
  
  NAS:
                  NAS IPv4 Address:                                172.20.20.103
                  NAS IPv6 Address:                                -
                  NAS Identifier:                                       -
                  NAS Port-Type:                                     Wireless - IEEE 802.11
                  NAS Port:                                               0
  
  RADIUS Client:
                  Client Friendly Name:                           Automative-Proxy
                  Client IP Address:                                  172.21.0.68
  
  Authentication Details:
                  Connection Request Policy Name:     Secure Wireless Connections
                  Network Policy Name:                         Wifi-Vlan400-Lan-Wihout-Internet
                  Authentication Provider:                     Windows
                  Authentication Server:                         DC2.domain.net
                  Authentication Type:                           PEAP
                  EAP Type:                                               -
                  Account Session Identifier:                 -
                  Logging Results:                                   Accounting information was written to the local log file.
                  Reason Code:                                        262
                  Reason:                                                  The supplied message is incomplete.  The signature was not verified.
  
  
  

  Monday, January 14, 2013 8:20 AM
• 

  

  0

  Sign in to vote

  problem is solved by changing eap type to mschap-v2

  windows 7 and 8 is ok but problem still exists with windows xp and more important than that windows mobile phones !

  1.    Windows XP Clients cannot connect to the 802.1x network with PEAP (EAP-MSCHAP-V2 EAP Type). And I have the “The client and server cannot communicate, because they do not possess a common algorithm.” Error message
  2.    Windows Mobile Devices also cannot connect to the network and they receive an error “Cannot log on to the wireless network. This network requires a personal certificate to positively identify you” Error message

  any help is greatly appreciated specially on mobile devices with windows mobile OS

  Tuesday, January 15, 2013 4:46 AM
• 

  

  0

  Sign in to vote

  problem is solved by changing eap type to mschap-v2

  windows 7 and 8 is ok but problem still exists with windows xp and more important than that windows mobile phones !

  1.    Windows XP Clients cannot connect to the 802.1x network with PEAP (EAP-MSCHAP-V2 EAP Type). And I have the “The client and server cannot communicate, because they do not possess a common algorithm.” Error message
  2.    Windows Mobile Devices also cannot connect to the network and they receive an error “Cannot log on to the wireless network. This network requires a personal certificate to positively identify you” Error message

  any help is greatly appreciated specially on mobile devices with windows mobile OS

  Hi M,

  Your problem is still the Cert. I've been through a few months of this pain myself. I had the exact same problem with XP clients, but the reason is that XP is unforgiving when it comes to incorrect certs, where as 7, 8 and windows phone accept the bad cert. When you get the cert right it will work fine for XP too. I use Comoodo poublic certs. You have to be very careful when generating the cert request from NPS, and ensure Key usage is "Digital signature" and Extended have "server authentication" and "key encipherment" selected. For Cryptographic service provider select "Microsoft Strong Crypographic Provider RSA"

  Monday, April 29, 2013 8:33 AM
• 

  

  0

  Sign in to vote

  My problem is solved

  i bought valid public certs from geotrust and installed it on my servers

  all devices are working well

  • Marked as answer by Mo.Gan Monday, April 29, 2013 8:47 AM

  Monday, April 29, 2013 8:47 AM