locked
NPS Certificate seems to have problem with SHA2 RRS feed

  • General discussion

  • Hi

    I renewed my computer cert (for NPS server) from geotrust and new one is SHA2

    wireless clients cannot connect to network (PEAP - MSCHAP V2) after that and they simply get error 

    unable to connect to SSID

    Error code 0x80070005

    source : Engine

    Package : Unknown 

    But the old one is OK

    Is there any problem with SHA2 and NPS ?

    Is there any workaround for this ?

    Wednesday, December 24, 2014 11:42 AM

All replies

  • Hi,

    Have you tried importing this new certificate into the NTAuth store?

    http://support.microsoft.com/kb/295663

    http://technet.microsoft.com/en-us/library/cc731612.aspx

    Thanks,

    -Greg


    Wednesday, December 24, 2014 7:31 PM
  • Hi,

    This is Geotrust cert which is in all windows editions trusted authority inventory (Like godaddy and ..)

    Is this necessary?

    I did not do that for all my previous SHA1 Geotrust certificates

    Thursday, December 25, 2014 4:23 AM
  • Hi,

    When you update your server cert and clients can no longer access the network, one of the most common causes is a trust issue.  The certificate can be trusted by clients a couple different ways, but the simplest and most direct way to guarantee domain-joined clients trust the NPS server certificate is to publish it to NTAuth.

    This type of problem is particularly common with 3rd party CAs. An internal Enterprise CA is automatically trusted but 3rd party certificates are not.

    This might not be the issue, but the certificate must be trusted anyway, so ensuring it is trusted is a good first step. In other words, either the certificate is already trusted and this is not the problem but won't hurt anything, or the certificate is not trusted and this is at least one of the problems.

    It's possible that the old certificate was trusted and this one is not because of changes to the Geotrust PKI.

    -Greg

    P.S. I'm not sure about the SHA2 support but NPS on Server 2012 R2 should support it.
    Thursday, December 25, 2014 5:00 AM
  • Hi

    You're Right Greg. Enabling and injecting the cert there, although I think may not be necessary but anuway would not hurt anybody

    I already started a test environment to check it on Server 2012 and will let you know the result

    meanwhile I will be thankful if anybody, From Microsoft or a partner check this issue with the guys out there and see if this is a known issue (NPS and SHA2)

    Thanks again Greg

    Thursday, December 25, 2014 6:52 AM
  • I tested NPS on server 2012 and it has the same problem interesting thing is that the SHA2 scenario works on Android and IOS clients Android and iPhone Devices can connect using this new cert but windows 7 and 8 clients have that problem
    Thursday, December 25, 2014 9:13 AM
  • Is it possible that I may need to add new trusted root certs of geotrust in my clients and servers?

    is the new SHA-2 method means they have generated new keys and chains ?!

    Friday, December 26, 2014 10:56 AM