locked
How can NPS server restrict client computer certificate from specific CA and verify the computer hostname match the certificate FDN RRS feed

  • Question

  • Hi All,

    I would like to seek for advice that if NPS server 2016 could restrict authentication ONLY for client with computer certificate issue from specific CA as well as verifiying the wired computer's hostname match the client computer certificate's FDN? So the target is that the NPS would grant access to domain computers with certificate issue from internal CA (Deny other certificate from other CAs' even if they are in Trusted Root CA) as well as denying domain computers using certificate issue from internal CA but with FDN that is NOT match the computer's name.

    The following is my test setup and results:

    Server: Windows server 2016 STD with NPS role

    Switch: Cisco 3750G [Configured with dot1x, ports enabled dot1x for VLAN control]

    Client: Windows 7 and Windows 10 laptop

    Authentication mode: Computer authentication,

    Authentication method: PEAP, smartcard or other certificate

    Both NPS server and client laptops have same Trusted Root CAs include internal CAs as well as some third party CAs, and have

    enrolled required server certificates and computer certificates. 

    Added NPS network policy to grant access for conditions: Windows group= <my domain>\Domain Computers, NAS port type= Ethernet

    Test results: The NPS work for granting access to our domain laptops with computer certificates, but we also find that access also granted to domain computer A that have imported another domain computer B's computer certificate. From NPS log show that the Computer A can use Computer B's computer account for the request. And I found there is no condition nor constraint in NPS policy for controlling the client certificate's CA.


    Thursday, February 23, 2017 4:08 AM

All replies

  • Hi,

    >>From NPS log show that the Computer A can use Computer B's computer account for the request. And I found there is no condition nor constraint in NPS policy for controlling the client certificate's CA.

    I have checked in my lab,there is no such policy could compare the computer's hostname match the client computer certificate's FDN in NPS,and I don't find any official document talking about this behavior.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 23, 2017 9:49 AM