none
Annoying Certificate Chain Issue with NPS (Reason Code 295)

    Pregunta

  • Hi All,

    I'm trying to setup certificate-based authentication for NPS in a Server 2012 R2 environment. I'm currently stuck on an issue in where I keep getting Reason code 295 (indicating that a CA in the chain is not trusted). However, I've checked the computer and service account to ensure that both the Root CA and Intermediate CA are in the appropriate trust store, so I cannot for the life of me figure out why there would be a trust issue.

    I have also verified that my user certificate is properly published in Active Directory and that my client (which is not domain joined) trusts both the root and intermediate CAs.

    The RAS server is using a commercial wildcard certificate for SSTP connections (we only have SSTP enabled), which is working fine with user/password authentication. In the advanced certificate authentication settings, we're using a certificate issued by the internal CA.

    Any ideas why the server wouldn't trust a certificate that's in the trust store?

    Thanks!

    lunes, 30 de abril de 2018 21:02

Respuestas

  • I was able to get this working by using the default user template instead of the copy I had modified. I'll try to track down what setting broke it and post it here for future generations if I find it.
    lunes, 30 de abril de 2018 21:44

Todas las respuestas

  • I was able to get this working by using the default user template instead of the copy I had modified. I'll try to track down what setting broke it and post it here for future generations if I find it.
    lunes, 30 de abril de 2018 21:44
  • Hi,

    I'm pleased to hear that the issue is resolved by yourself successfully. Thanks for posting and sharing here as it would be helpful to someone who encounters similar issues.

    Highly appreciate your effort and time.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    martes, 1 de mayo de 2018 6:33