locked
Renewed CA cert and now a lot of users cannot connect to wireless network since old cert expired yesterday RRS feed

  • Question

  • Hello, about a month ago i renewed the certificate from my subca for the clients to connect to our wireless network using eap-tls. Yesterday the old cert expired and about half the users in the enterprise are not able to connect to the wireless network. All of the users have the new certificate installed on their computers but it is still not working. In the event viewer i am getting error code 36887 from schannel and it says "A fatal alert was received from the remote endpoint. The tls protocol defined fatal alert code is 49". When i looked that up it said Received a valid certificate, but when access control was applied, the sender did not proceed with negotiation. This message is always fatal.

    The only solution i have found that works is plugging the computer into the network and performing a gpupdate and restarting the computer but i can't do that for 1000+ computers. I have also tried removing the old expired cert from the subca and that did not work either. is there something that could be changed on the nps server to all users to connect temporarily to download the new cert? We are using group policy to push out the wireless configuration.

    Any suggestions would be much appreciated. Thank you!





    • Edited by tsicoupe Tuesday, January 10, 2017 7:47 PM
    Tuesday, January 10, 2017 7:36 PM

All replies

  • Hi,

    >>The only solution i have found that works is plugging the computer into the network and performing a gpupdate and restarting the computer but i can't do that for 1000+ computers...We are using group policy to push out the wireless configuration.

    According your description,your clients seem to keep using old certificates before gpupdate.NPS has not such option.And considering you have 1000+ computers,the most  efficient way is that use logon/logoff script to do this.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 11, 2017 8:01 AM
  • Hi Tsicoupe,

    Given that a GPUpdate + Reboot solves your problem, but you need to be connected to Active Directory for that, it might be worth a try to temporarily set up a remediation group that allows access to a domain controller (for receiving the group policy) and possibly the CA (for issuing a new client certificate if that expired) as well. You then want to trigger a GPUpdate and reboot by script or other method.

    For next time, it's good to know that a certificate issued by a CA can never have a lifetime greater than the remaining lifetime of the CA at the time of signing. If your CA is only valid for a month, that's what you get, regardless of the template maybe specifying a year or two. So you should renew your CA certificate while it's still valid for longer than the longest validity period of any certificate you want to issue with it.

    Kind Regards,

    Wednesday, January 11, 2017 8:33 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 19, 2017 8:30 AM