locked
"The certificate on the server computer does not have a server name specified" (error 0x80420406) when trying to set up WPA2-EAP **PARTIALLY Solved** RRS feed

  • Question

  • I am trying to set up a SonicWall NDR Access Point, connected to an NSA 3500, as a radius client  to authenticate WPA2-EAP clents. I've gotten everything set up to the point where a client can connect to the Wireless network and authenticate the computer account against radius just fine as long as I do not tick the box "validate server certificate" in the PEAP properties on the client. When I select to validate the server certificate, the client will not connect and will log security event 5632, "The authentication failed becase the certificate on the server computer does not have a server name specifed" (EAP Error Code 0x80420406).

    I have already configured a Remote Access certificate and set up autoenrollent per Microsoft's directions. I can see the certifcate has been created in the local computer/personal store on the NPS server. The CA is trusted by the clients and used regularly. The subject name of the certificate is the FQDN of the server. The key usage is server /client auth. The Subject alternative name is DNS Name=<FQDN of the Server>. The key length is 2048 RSA.

    If I untick the box in the connection properties, the client connects up immediately and works perfectly.The NAP server shows a successful auth event 6278, granted Access.

    In addition, this event is logged on the NPS server when the box is checked and the connection fails: Event 6273:

    "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

    NPS is running on server 2008 R2, client is Windows 7 PROx64.

    HELP! I cannot find anything about these messages on the net other than an article that explains the developemet return codes for EAP

     *Update*

    The root of the problem lies in the fact that the machine uses also runs a RDGateway. I thought it was convienant to use radius on this machine since it was already set up. The RD Gateway uses a wildcard cert from a thrid party and places the cert in the local machine\personal cert store as well. NPS wants to use this cert instead whenever it is present. If I remove the wildcard cert I can correctly connect with certificate verification enabled.

    Can anyone tell me if it is possible to force either RD Gateway services or NPS to use a cert stored in  another location? I cannot even find any certificate settings in NPS...


    • Edited by Leon79 Friday, August 17, 2012 3:11 PM
    Thursday, August 16, 2012 9:14 PM

Answers

  • So...what I have figured out...

    As far as I can tell you cannot assign a partcular certificate for NAP to use with PEAP. Wildcard certificates do not work with PEAP. They produce the error above. As far as how NAP/PEAP chooses which certificate to use from the personal store goes, apparently noone knows. Magic I guess...

    Adding NAP role on another server...Problem solved.

    • Marked as answer by Leon79 Friday, August 17, 2012 8:00 PM
    Friday, August 17, 2012 8:00 PM