locked
NPS Certificate with Internal Domain RRS feed

  • Question

  • Hi all,

    We currently run an AD domain with an internal (.local) domain name.  We're a school and run a BYOD program, so we have lots of non-domain machines, it's therefore important that the certificate used on our NPS server for our PEAP secured wireless for these users is trusted.  We've used Godaddy to sign certificates for this in the past, but after November 2015 they won't support signing certificates for internal domains (and nobody else will).

    What I'd like to know, is do I have any other choice to overcome this in the future other than renaming my domain (1000 users and 1000 PC's, so not a small undertaking), or is there a way to have NPS present another name, or some other way around this?

    Thanks.

    Monday, August 5, 2013 2:23 AM

Answers

All replies

  • Hi,

    You can use the private CA service in your school, the CA service also can issue various certificates, the non-domain clients can request the certificates with the CA build-in web enrollment function.

    The related KB:
    Certificate Services
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa376539(v=vs.85).aspx

    Setting Up Active Directory Certificate Services
    http://technet.microsoft.com/en-us/library/cc771852.aspx

    Configure Certificate Autoenrollment
    http://technet.microsoft.com/en-us/library/cc731522.aspx

    Hope this helps.


    Alex Lv

    • Marked as answer by Alex Lv Friday, August 9, 2013 9:28 AM
    Friday, August 9, 2013 7:18 AM
  • Hi

    I am in the same situation as "Speculator" but your solution "non-domain clients can request the certificates with the CA build-in web enrollment function" is a NO-GO. Most users can't handle this and lot's of devices are mobile devices (iPhones, etc.) so much to complicated.

    So I wonder if there are other solutions. Renaming the domain for sure is NO option; btw. .local domain was best practice recommended by Microsoft for a long time so I refuse to rename/setup from scratch a customer domain just because this recommendation has now turned into bad practice by some major CA palyers without even thinking about the consequences.

    So lets think loud about other possible solutions workarounds:

    • NPS 2008 lets you choose the certificate it uses to present to the client. Is that of any help? Can I use a signed certificate? Or is it impossible because the NPS server always presents the server.domain.local FQDN?
    • What about a NPS Proxy Server (standalone, non-domain member server) using a fully valid FQDN (e.g. nps.mydomain.com) and a corresponding certificate? Will the clients use this certificate or will they use the certificate from the NPS server behind the NPS Proxy? I mean is the certificate an end-to-end relationshipor is it a client-to-NPS Proxy relationship?
    • Setup a new Active Directory Forest with a real, public, valid domain name (e.g. mydomain.com) an install a NPS Server in this domain with a fully valid/signed certificate. A trust would be established between the .local domain/forest and mydomain.com domain/forest. People would have to enter the REALM as well when connecting.
    • Any other ideas?

    @Speculator: How did you solve this in the end?

    Regards,
    Oliver



    • Edited by Posbis Wednesday, September 11, 2013 2:55 PM
    Wednesday, September 11, 2013 2:54 PM
  • I'm wondering if anyone ever came up with a solution for this?

    I'm running a .local domain and radius has been working just dandy with a self signed cert, but I needed to implement some Apple TV's and they don't play nice with windows self signed certificates.

    I went ahead and got a .com certificate and added an external .com DNS zone on our DNS server, but I'm still getting the dreaded "blah.blah.com is not configured as a valid NPS server".

    Any work around for this? Is there a specific DNS record I need to add to make it a valid NPS server on that domain or is something hard coded because it's a domain controller?

    Any help is appreciated. I've been hacking this out for weeks now and I just want to get it off my plate.

    Thanks,

    Chris


    Sunday, July 13, 2014 10:49 PM
  • Not sure why this is marked as an answer. Internal CA will not be trusted by non domain devices.
    Tuesday, October 24, 2017 9:18 PM