locked
NPS Certificates & Auto-Enrolment Issues RRS feed

  • Question

  • Hey All,

    I've spent way too much time trying to figure this out so here goes:

    • I have installed the NPS role on Windows Server 2008 Enterprise SP2.
    • I have installed AD CS role on a Windows Server 2008 Standard SP1 which is also a Domain Controller.

    I cannot seem to add the NPS Certificate to the AD CS Certificate Authority. I have waited and waited for the DCs to sync, but nothing appears so I cannot issue a new template.

    I have been following this article to setup NPS for RADIUS: http://techblog.mirabito.net.au/?p=87
    I have been following this TechNet article for certificates: http://technet.microsoft.com/en-us/library/cc730811

    I realised the TechNet article applies to Windows Server 2008 R2, and I have also read in many places that CA certificates can only be auto-enrolled on Enterprise Edition servers.

    Can someone set me straight? This is a massive road block I have hit when trying to set up RADIUS for my WiFi network. Thanks All!


    • Edited by Joshua Woodcraft Thursday, May 31, 2012 6:45 AM further clarification
    Thursday, May 31, 2012 6:37 AM

Answers

  • Just to be clear about what doesn't work on Windows Server Standard Edition with the certificate templates console.

    In Enterprise edition, you can open the certificate templates console, right click the Templates container, point to New, and then click Certificate Template to Issue. You can't do this in Standard Edition. This is step 11 in the link you provided.

    I know it sounds a little strange, but you actually CAN install an Enterprise CA on Windows Server 2008 Standard edition. It is just that the Enterprise CA is limited to issuing only the standard templates.

    I don't think the RPC server error you got is related to using Standard edition on your CA. I could be wrong, but usually an RPC error is some kind of network connection or Active Directory problem.

    You don't need to use the RAS and IAS Servers certificate because all that is required is the Server Authentication EKU, and this is available on the Computer certificate.

    -Greg

    Friday, June 1, 2012 6:20 AM
  • Thanks for pointing out the link problem - I've fixed the URL.

    The three certificates are for different phases and types of authentication. Have a read here: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx. In particular, there is a table that explains the uses for the various certificates. I've pasted it below. Hopefully it will format well, but you can also see the link above. There are actually four certificates, but one of them is automatically imported when a client joins the domain (the first one).

    Certificate Required for EAP-TLS and PEAP-TLS? Required for PEAP-MS-CHAP v2? Details

    CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User.

    Yes. The CA certificate is enrolled automatically for domain member computers. For non-domain member computers, the certificate must be manually imported into the certificate store.

    Yes. This certificate is enrolled automatically for domain member computers. For non-domain member computers, the certificate must be manually imported into the certificate store.

    For PEAP-MS-CHAP v2, this certificate is required for mutual authentication between client and server.

    Client computer certificate in the certificate store of the client.

    Yes. Client computer certificates are required unless user certificates are distributed on smart cards. Client certificates are enrolled automatically for domain member computers. For non-domain member computers, the certificate must be manually imported or obtained with the Web enrollment tool.

    No. User authentication is performed with password-based credentials, not certificates.

    If you deploy user certificates on smart cards, client computers do not need client certificates.

    Server certificate in the certificate store of the NPS server.

    Yes. You can configure AD CS to autoenroll server certificates to members of the RAS and IAS servers group in Active Directory Domain Services (AD DS).

    Yes. In addition to using AD CS for server certificates, you can purchase server certificates from other CAs that client computers already trust.

    The NPS server sends the server certificate to the client computer; the client computer uses the certificate to authenticate the NPS server.

    User certificate on a smart card.

    No. This certificate is required only if you choose to deploy smart cards rather than autoenrolling client computer certificates.

    No. User authentication is performed with password-based credentials, not certificates.

    For EAP-TLS and PEAP-TLS, if you do not autoenroll client computer certificates, user certificates on smart cards are required.

    ---------------------------

    The password-based method you discussed above is MSCHAPv2. The other methods (TLS methods) use certificates to store user and computer credentials. When it says above that computer certificates are enrolled automatically on domain computers, this is assuming that auto-enrollment is enabled in default domain policy. By default, domain computers have permission to enroll a "computer" certificate. This blog post might help to understand auto-enrollment: http://blogs.msdn.com/b/alextch/archive/2007/07/03/certautoenroll.aspx.

    Friday, June 1, 2012 7:38 AM
  • Hi Joshua,

    I don't know a lot about Forefront TMG but I think it does include AD LDS (active directory lightweight directory services). It's possible this might cause some problems with other functions of NPS. I'll need to research this a little. Searching on TMG RPC problems with certificates I found this: http://www.microsoftnow.com/2010/02/rpc-server-is-unavailable-error-when-requesting-a-certificate.html

    Have you tried this solution?

    I think the first step is to make sure the NPS certificate is enrolled correctly. For non-domain users you also need to make sure they have the root CA certificate. If you want to authenticate with user credentials I think the simplest method is MSCHAP. From http://technet.microsoft.com/en-us/library/dd348500.aspx:

    "PEAP-MS-CHAP v2 an EAP type that is easier to deploy than Extensible Authentication Protocol with Transport Level Security (EAP-TLS) or PEAP-TLS because user authentication is accomplished by using password-base credentials (user name and password) instead of digital certificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate. Successful PEAP-MS-CHAP v2 authentication requires that the client trust the NPS server after examining the server certificate. For the client to trust the NPS server, the certification authority (CA) that issued the server certificate must have its own different certificate in the Trusted Root Certification Authorities certificate store on the client computer."

    -Greg

    Tuesday, June 5, 2012 6:30 AM

All replies

  • Hi Joshua,

    When you say you "cannot seem to add the NPS certificate to the AD CS certificate authority," what do you mean? If you are trying to create a new template on 2008 Standard version, then this is your problem. That version of server does requrie Enterprise edition to issue certificates from new templates. I believe this changed in R2.

    However, you may not need to follow the instructions exactly as described in the link you provided. All I think you need is to manually enroll a computer certificate on your NPS. Assuming that the "Computer" certificate template is already available, try this:

    1. On NPS, click Start, click Run, in Open, type mmc, and then press ENTER.
    2. On the File menu, click Add/Remove Snap-in.
    3. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.
    4. Click OK to close the Add or Remove Snap-ins dialog box.
    5. In the left pane, double-click Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.
    6. The Certificate Enrollment dialog box opens. Click Next.
    7. In the Certificate Enrollment dialog box, select the Computer check box, and then click Enroll.
    8. Verify that Succeeded is displayed to indicate the status of certificate installation, and then click Finish.

    Let me know if this works,

    -Greg



    Friday, June 1, 2012 5:53 AM
  • Hi,

    For issuing purpose, such as auto-enroll, you should use Enterprise Root CA which needs Enterprise Edition. Then, use this Root CA to issue a server certificate for NPS server. Based on the authentication method you choose, deploy the user and client computer certificate.

    Certificate Requirements for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc731363

    Deploying Certificates for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc754367

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, June 1, 2012 6:00 AM
  • Thanks Greg, I think the problem is that we're running the CA on a 2008 standard server. I looked at it with fresh eyes this morning and it smacked me right in the face. So I will either need 2008 Enterprise, or 2008 R2. So thanks for clearing that up!

    In regard to your steps, I had followed these already and added the computer certificate on the NPS server but it was telling me the RPC server was unavailable. Presumably because I do not have it installed on Enterprise. Adding to the fact that I would need NPS to auto-enroll the certificates.

    Aiden, thanks for your input - I've seen those articles before but I do have a question for you. Do I need to deploy a computer certificate and a user certificate? I do know that when setting up the CA for NPS, I need to create a new template from the RAS and IAS certificate template, according to microsoft here: http://technet.microsoft.com/en-us/library/cc754198 Which in theory, after all domain controllers pick this up, should be available to the NPS server?

    It's just the whole adding both user and computer certificates that is stumping me as well. What I'm trying to do is set up RADIUS for our wireless network so users have to authenticate with their domain account.

    Friday, June 1, 2012 6:13 AM
  • Just to be clear about what doesn't work on Windows Server Standard Edition with the certificate templates console.

    In Enterprise edition, you can open the certificate templates console, right click the Templates container, point to New, and then click Certificate Template to Issue. You can't do this in Standard Edition. This is step 11 in the link you provided.

    I know it sounds a little strange, but you actually CAN install an Enterprise CA on Windows Server 2008 Standard edition. It is just that the Enterprise CA is limited to issuing only the standard templates.

    I don't think the RPC server error you got is related to using Standard edition on your CA. I could be wrong, but usually an RPC error is some kind of network connection or Active Directory problem.

    You don't need to use the RAS and IAS Servers certificate because all that is required is the Server Authentication EKU, and this is available on the Computer certificate.

    -Greg

    Friday, June 1, 2012 6:20 AM
  • Also,

    If you are using MS CHAP v2, you don't need certificates on the client computers. See http://technet.microsoft.com/en-us/library/dd348500.

    The certificate model is here: http://technet.microsoft.com/en-us/library/dd348478.

    You can't use autoenrollment with your current CA, but you might not need this.

    Can you describe the RPC error you are getting?

    -Greg


    Friday, June 1, 2012 6:33 AM
  • Ah I see, thanks! I had installed the Enterprise CA on a standard edition. I had created the templates, but of course they were not showing up in the Certificate Authority because of the standard edition limitation.

    What I would need to know then, is why Microsoft describes setting up three different certificates according to this article: http://technet.microsoft.com/en-us/library/cc754367

    Seeing your second post here Greg, it seems there is a better way! So having a quick read of the article you posted: http://technet.microsoft.com/en-us/library/dd348500(v=WS.10).aspx - It appears I just need to deploy a certificate to the NPS server and this type of authentication does the rest?

    Edit: Also, your second link did not work. I am not sure what was causing the RPC error at the time, but before replicating the error I will install AD CS on a new server when I can.

    Lastly, what would I need to employ to get this type of authentication working? The RADIUS Server gives me three options: The smart card, PEAP or EAP-MS CHAP v2 (<would this be the one?)




    Friday, June 1, 2012 6:38 AM
  • Thanks for pointing out the link problem - I've fixed the URL.

    The three certificates are for different phases and types of authentication. Have a read here: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx. In particular, there is a table that explains the uses for the various certificates. I've pasted it below. Hopefully it will format well, but you can also see the link above. There are actually four certificates, but one of them is automatically imported when a client joins the domain (the first one).

    Certificate Required for EAP-TLS and PEAP-TLS? Required for PEAP-MS-CHAP v2? Details

    CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User.

    Yes. The CA certificate is enrolled automatically for domain member computers. For non-domain member computers, the certificate must be manually imported into the certificate store.

    Yes. This certificate is enrolled automatically for domain member computers. For non-domain member computers, the certificate must be manually imported into the certificate store.

    For PEAP-MS-CHAP v2, this certificate is required for mutual authentication between client and server.

    Client computer certificate in the certificate store of the client.

    Yes. Client computer certificates are required unless user certificates are distributed on smart cards. Client certificates are enrolled automatically for domain member computers. For non-domain member computers, the certificate must be manually imported or obtained with the Web enrollment tool.

    No. User authentication is performed with password-based credentials, not certificates.

    If you deploy user certificates on smart cards, client computers do not need client certificates.

    Server certificate in the certificate store of the NPS server.

    Yes. You can configure AD CS to autoenroll server certificates to members of the RAS and IAS servers group in Active Directory Domain Services (AD DS).

    Yes. In addition to using AD CS for server certificates, you can purchase server certificates from other CAs that client computers already trust.

    The NPS server sends the server certificate to the client computer; the client computer uses the certificate to authenticate the NPS server.

    User certificate on a smart card.

    No. This certificate is required only if you choose to deploy smart cards rather than autoenrolling client computer certificates.

    No. User authentication is performed with password-based credentials, not certificates.

    For EAP-TLS and PEAP-TLS, if you do not autoenroll client computer certificates, user certificates on smart cards are required.

    ---------------------------

    The password-based method you discussed above is MSCHAPv2. The other methods (TLS methods) use certificates to store user and computer credentials. When it says above that computer certificates are enrolled automatically on domain computers, this is assuming that auto-enrollment is enabled in default domain policy. By default, domain computers have permission to enroll a "computer" certificate. This blog post might help to understand auto-enrollment: http://blogs.msdn.com/b/alextch/archive/2007/07/03/certautoenroll.aspx.

    Friday, June 1, 2012 7:38 AM
  • Hi,

    As Greg mentioned, if you choose to use PEAP-MS-CHAP v2 method for authentication, you don’t need to additional certificates on client side. Only mare sure the Root CA was trusted on all client computers. It support to using user credential (password-based) for authentication which is easy to deployment.

    For more detailed steps, please refer to the following Blog. Hope it helps.

    Creating a secure 802.1x wireless infrastructure using Microsoft Windows

    http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

    In group policy settings, make sure the Authentication method is Secured password (EAP-MSCHAP v2).


    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, June 1, 2012 7:56 AM
  • Thanks guys. I won't be deploying the wireless settings via group policy. We'll just connect them manually.

    But this is how I understand it:

    • Setup the AD CS server on an Enterprise Edition 2008 or 2008 R2 server with a computer certificate set to auto-enroll. (Do I need to create duplicate of a template, or just use the template?)
    • Request the certificate from the Certificates Snap-In on the server NPS is installed on.
    • Run the wireless wizard in NPS for RADIUS Server and select PEAP-MSCHAP v2 and setup the wireless access points.

    What isn't entirely clear is what is needed for group policy. What I envision is setting up a user group of authenticated users which are allowed to access the RADIUS Server and define this in NPS. I've read that many articles on how to configure the GPO that I'm not sure what to configure anymore.

    Edit: Also, the users joining this wireless network will be primarily devices and computers who are not joined to the domain. In what way will this affect authentication?


    Friday, June 1, 2012 11:56 AM
  • Bump. Guys I've taken the advice to go with MS-CHAP-V2 (without putting the CA on an Enterprise Edition server) and set it up. Considering I don't need auto-enrollment for MS-CHAP-V2, I am not sure what's going on.

    I couldn't enroll a certificate on the NPS server (it kept coming up with a RPC server unavailable error) by manually requesting it, so I imported it from a computer certificate which I exported from the CA itself.

    I cannot get it to work. I'm using Ubiquiti UniFi access points. In the UniFi administration I defined that it's WPA-Enterprise, put in the IP address and port, and the shared secret (which I've set the same for both NPS AP clients) but when I go to connect from my Windows 7 laptop it says cannot connect, and when I try to connect from my iPhone it keeps saying incorrect username or password. Any thoughts?

    Monday, June 4, 2012 3:10 AM
  •  I've taken the advice from my post here: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/c8664ee3-f3b7-4105-a0a8-0e5a189e05a5/#8c5635db-c57a-40b3-8278-57222e1f1106 to go with MS-CHAP-V2 (without putting the CA on an Enterprise Edition server) and set it up. Considering I don't need auto-enrollment for MS-CHAP-V2, I am not sure what's going on.

    I couldn't enroll a certificate on the NPS server (it kept coming up with an RPC server unavailable error) by manually requesting it in the certificates snap-in, so I imported it from a computer certificate which I exported from the CA itself.

    I cannot get it to work. I'm using Ubiquiti UniFi access points. In the UniFi administration I defined that it's WPA-Enterprise, put in the IP address and port, and the shared secret (which I've set the same for both NPS AP clients) but when I go to connect from my Windows 7 laptop it says cannot connect, and when I try to connect from my iPhone it keeps saying incorrect username or password.

    I've checked the logs in the C:\Windows\System32\LogFiles folder and it creates new entries involving my username, PC and even the NPS client (access point) it's using when it connects. The log looks like this (this is 3 unsuccessful attempts):

    "NPS Server","IAS",06/04/2012,12:53:56,1,"host/laptop.domain.com.au","domain.com.au/Resources/Computers/Laptops/laptop","06-27-22-B5-EE-1E:Access Point","88-9F-FA-54-26-FE",,,,,0,0,"172.17.12.6","Level 3",,,19,"CONNECT 0Mbps 802.11",,,5,"Forefront TMG Default Policy",0,"311 1 ::1 05/31/2012 00:57:06 39",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
    "NPS Server","IAS",06/04/2012,12:53:56,3,,"domain.com.au/Resources/Computers/Laptops/laptop",,,,,,,,0,"172.17.12.6","Level 3",,,,,,,5,"Forefront TMG Default Policy",65,"311 1 ::1 05/31/2012 00:57:06 39",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
    "NPS Server","IAS",06/04/2012,12:53:57,1,"SKIN\username","domain.com.au/Resources/Users/AD User","06-27-22-B5-EE-1E:Access Point","88-9F-FA-54-26-FE",,,,,0,0,"172.17.12.6","Level 3",,,19,"CONNECT 0Mbps 802.11",,,5,"Forefront TMG Default Policy",0,"311 1 ::1 05/31/2012 00:57:06 40",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
    "NPS Server","IAS",06/04/2012,12:53:57,3,,"domain.com.au/Resources/Users/AD User",,,,,,,,0,"172.17.12.6","Level 3",,,,,,,5,"Forefront TMG Default Policy",65,"311 1 ::1 05/31/2012 00:57:06 40",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
    "NPS Server","IAS",06/04/2012,12:53:59,1,"SKIN\username","domain.com.au/Resources/Users/AD User","06-27-22-B5-EE-1E:Access Point","88-9F-FA-54-26-FE",,,,,0,0,"172.17.12.6","Level 3",,,19,"CONNECT 0Mbps 802.11",,,5,"Forefront TMG Default Policy",0,"311 1 ::1 05/31/2012 00:57:06 41",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,
    "NPS Server","IAS",06/04/2012,12:53:59,3,,"domain.com.au/Resources/Users/AD User",,,,,,,,0,"172.17.12.6","Level 3",,,,,,,5,"Forefront TMG Default Policy",65,"311 1 ::1 05/31/2012 00:57:06 41",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Microsoft Routing and Remote Access Service Policy",1,,,,


    I will also mention that this NPS server resides on a ForeFront TMG Server as well.

    Any thoughts?


    Monday, June 4, 2012 3:53 AM
  • Tuesday, June 5, 2012 5:54 AM
  • Hi Greg,

    Thanks for the reply. I have come across that article but this did not help. I'll also mention that the NPS server is installed on a ForeFront TMG 2010 server. Are there any special considerations I should make? Earlier today I stopped all forefront services and tried to connect to the WiFi AP, and this time instead of automatically failing, it just sat there waiting and then finally timed out. I get an entry into the NPS log each time my laptop tries to connect, but not my iPhone.. the iPhone just doesn't come through at all. Now I have seen others say that they've got their iPhone to connect via an MS-CHAP-V2 setup on NPS.. but I'm not sure how. It definitely has the WPA-Enterprise facility and the ability to type in a username and password.

    Is MS-CHAP-V2 a good way to go for non-domain users? All I want to do is for a device to authenticate with NPS using user credentials from AD DS.

    Tuesday, June 5, 2012 5:59 AM
  • Hi Joshua,

    I don't know a lot about Forefront TMG but I think it does include AD LDS (active directory lightweight directory services). It's possible this might cause some problems with other functions of NPS. I'll need to research this a little. Searching on TMG RPC problems with certificates I found this: http://www.microsoftnow.com/2010/02/rpc-server-is-unavailable-error-when-requesting-a-certificate.html

    Have you tried this solution?

    I think the first step is to make sure the NPS certificate is enrolled correctly. For non-domain users you also need to make sure they have the root CA certificate. If you want to authenticate with user credentials I think the simplest method is MSCHAP. From http://technet.microsoft.com/en-us/library/dd348500.aspx:

    "PEAP-MS-CHAP v2 an EAP type that is easier to deploy than Extensible Authentication Protocol with Transport Level Security (EAP-TLS) or PEAP-TLS because user authentication is accomplished by using password-base credentials (user name and password) instead of digital certificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate. Successful PEAP-MS-CHAP v2 authentication requires that the client trust the NPS server after examining the server certificate. For the client to trust the NPS server, the certification authority (CA) that issued the server certificate must have its own different certificate in the Trusted Root Certification Authorities certificate store on the client computer."

    -Greg

    Tuesday, June 5, 2012 6:30 AM
  • Hi Greg,

    That first link on disabling strict DCOM access in ForeFront TMG allowed me to request a computer certificate on the NPS Server! Thanks! Though I am still having troubles connecting to the wireless network though. I am using a Windows 7 Professional x64 laptop, our network CA is in the trusted root authorities but when I try to connect it just sits there for a bit and then fails.

    Josh

    Wednesday, June 6, 2012 12:29 AM
  • Hi Josh,

    Do you see the laptop connection attempt on NPS? What about the access point? Are there any logs on the AP? What model AP are you using?

    -Greg

    Wednesday, June 6, 2012 5:07 AM
  • Hi Greg,

    The NPS connection attempt looks like the log I have previously posted a few posts back. There is nothing showing on the AP that a user is connected. I'm using a Ubiquiti UniFi Access Point.

    Thanks,

    Josh

    Wednesday, June 6, 2012 6:27 AM
  • Hi Josh,

    The logs provide some information, but usually there is more information in Event Viewer. Look on NPS under Custom Views\Server Roles\Network Policy and Access Services. There will be events that describe the connection attempt and include a code that helps to determine the root cause.

    However, based on the log you have above I am wondering if you've run the NPS policy wizard. It looks like the policy that is being matched it one of the default policies "Routing and Remote Access Policy" rather than the policy that would be created by the wizard. Have you created policies yourself on NPS?

    -Greg

    P.S. See http://technet.microsoft.com/en-us/library/ff919513(v=ws.10).aspx

    Wednesday, June 6, 2012 7:15 AM
  • Looking at this again (now that I am in front of my NPS server) I see that the Routing and Remote Access policy is actually a default network policy and not a connection request policy. This network policy is also configured by default to deny network access, so if you are matching this policy it would explain the problem.

    Thursday, June 7, 2012 12:10 AM
  • I've disabled all policies except for the ones created by the wireless wizard, still no luck. I wonder if ForeFront TMG is further restricting access somehow...

    Edit: What's interesting is that the access point I'm closest to receives and sends data, and in the NPS logs an LDAP connection is successful. So it just doesn't make sense.

    Thursday, June 7, 2012 3:24 AM
  • Hi Joshua,

    You still must make sure that the policy is being matched. Please examine the Event Viewer logs under Custom Views\Server Roles\Network Policy and Access Services.

    If the policy is not being matched when it is the only available policy, this means that the conditions are wrong. If the policy is matched but there is an error, you should see a code that will help to identify the problem.

    -Greg

    Thursday, June 7, 2012 4:09 AM