none
NPS, Public Cert and Multiple Servers

    Question

  • hi,

    we have two nps proxy and 4 nps servers behind them

    the proxies are servicing many WIFI AP's for dynamic vlan using dot1x and authentication using PEAP/MSCHAPv2

    i found some related posts but none of them was totally completed

    the main question is : has anyone bought public cert for NPS which is working ! i chatted with godaddy and geotrust and thawte but they never gave me a total solution or a definite YES or NO

    they just say if it is that way or this way .. yes we can otherwise no so i cannot reach a final decision

    and after that the question is : can i install one cert on all nps servers ?

    tx all

    Wednesday, January 9, 2013 6:20 AM

Answers

  • My problem is solved

    i bought valid public certs from geotrust and installed it on my servers

    all devices are working well

    • Marked as answer by MohammadG Monday, April 29, 2013 8:47 AM
    Monday, April 29, 2013 8:47 AM

All replies

  • Hi,

    The SAN (subject alternate name) must be the FQDN of the NPS server. There is a previous forum thread where someone tried purchasing a single certificate with several NPS names in the SAN. This did not seem to work, whereas using a single NPS name in the SAN did work.

    I recommended this topic in that thread: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx.

    I hope this helps,

    -Greg

    .

    Wednesday, January 9, 2013 8:44 PM
    Owner
  • Hi,

    The SAN (subject alternate name) must be the FQDN of the NPS server. There is a previous forum thread where someone tried purchasing a single certificate with several NPS names in the SAN. This did not seem to work, whereas using a single NPS name in the SAN did work.

    I recommended this topic in that thread: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx.

    I hope this helps,

    -Greg

    .

    Thanks Greg

    u know this may seem some kind of business and sales question

    as a matter of fact, i wonder if anyone has bought a public cert for its nps server and it has worked !? especially if he has installed it on multiple server

    unfortunately godaddy, thawte and .. do not give me a direct and sure YES, as i said they just say it should work as long is it is x509 and ...

    so let's make my questions straight

    1- has anybody successfully purchased and installed certificates from a public cert provider (and from who) for nps server ?

    2- has this worked on multiple servers ? or as the server name should be there, we have to buy for single cert for our four nps servers ? (we have two nps proxy each one pointing to two servers in two sites)

    thanks again

    Thursday, January 10, 2013 4:51 AM
  • Hi,

    I have not used a public cert myself. Someone else might reply here saying they have used one.

    The thread that I linked does have someone who used a public certificate and it worked, but they had to use a single NPS name in the SAN instead of multiple server names. I hope this is clear.

    -Greg

    Thursday, January 10, 2013 4:57 AM
    Owner
  • Hi,

    I have not used a public cert myself. Someone else might reply here saying they have used one.

    The thread that I linked does have someone who used a public certificate and it worked, but they had to use a single NPS name in the SAN instead of multiple server names. I hope this is clear.

    -Greg

    ok

    seems there is no way except purchasing and testing

    i will go through godaddy and hope they support a computer certificate for encipherment and digital signature for a .1x PEAP MSCHAPv2 on nps servers :|

    Thursday, January 10, 2013 5:07 AM
  • Ok

    trouble here

    i bought it from godaddy and put the cert on the server

    a new laptop is entered to the network and while trying to coonect it fails

    the certificate (godaddy ..) is identified by the server but nps server log says :

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
                    Security ID:                                            domain\testuser
                    Account Name:                                     testuser
                    Account Domain:                                 domain
                    Fully Qualified Account Name:          domain\testuser

    Client Machine:
                    Security ID:                                            NULL SID
                    Account Name:                                     -
                    Fully Qualified Account Name:          -
                    OS-Version:                                           -
                    Called Station Identifier:                      00-20-A6-B4-2E-C4:GBG
                    Calling Station Identifier:                     64-27-37-B8-B4-17

    NAS:
                    NAS IPv4 Address:                                172.20.20.103
                    NAS IPv6 Address:                                -
                    NAS Identifier:                                       -
                    NAS Port-Type:                                     Wireless - IEEE 802.11
                    NAS Port:                                               0

    RADIUS Client:
                    Client Friendly Name:                           Automative-Proxy
                    Client IP Address:                                  172.21.0.68

    Authentication Details:
                    Connection Request Policy Name:     Secure Wireless Connections
                    Network Policy Name:                         Wifi-Vlan400-Lan-Wihout-Internet
                    Authentication Provider:                     Windows
                    Authentication Server:                         DC2.domain.net
                    Authentication Type:                           PEAP
                    EAP Type:                                               -
                    Account Session Identifier:                 -
                    Logging Results:                                   Accounting information was written to the local log file.
                    Reason Code:                                        262
                    Reason:                                                  The supplied message is incomplete.  The signature was not verified.


    Monday, January 14, 2013 8:20 AM
  • problem is solved by changing eap type to mschap-v2

    windows 7 and 8 is ok but problem still exists with windows xp and more important than that windows mobile phones !

    1.    Windows XP Clients cannot connect to the 802.1x network with PEAP (EAP-MSCHAP-V2 EAP Type). And I have the “The client and server cannot communicate, because they do not possess a common algorithm.” Error message
    2.    Windows Mobile Devices also cannot connect to the network and they receive an error “Cannot log on to the wireless network. This network requires a personal certificate to positively identify you” Error message

    any help is greatly appreciated specially on mobile devices with windows mobile OS

    Tuesday, January 15, 2013 4:46 AM
  • problem is solved by changing eap type to mschap-v2

    windows 7 and 8 is ok but problem still exists with windows xp and more important than that windows mobile phones !

    1.    Windows XP Clients cannot connect to the 802.1x network with PEAP (EAP-MSCHAP-V2 EAP Type). And I have the “The client and server cannot communicate, because they do not possess a common algorithm.” Error message
    2.    Windows Mobile Devices also cannot connect to the network and they receive an error “Cannot log on to the wireless network. This network requires a personal certificate to positively identify you” Error message

    any help is greatly appreciated specially on mobile devices with windows mobile OS

    Hi M,

    Your problem is still the Cert. I've been through a few months of this pain myself. I had the exact same problem with XP clients, but the reason is that XP is unforgiving when it comes to incorrect certs, where as 7, 8 and windows phone accept the bad cert. When you get the cert right it will work fine for XP too. I use Comoodo poublic certs. You have to be very careful when generating the cert request from NPS, and ensure Key usage is "Digital signature" and Extended have "server authentication" and "key encipherment" selected. For Cryptographic service provider select "Microsoft Strong Crypographic Provider RSA"

    Monday, April 29, 2013 8:33 AM
  • My problem is solved

    i bought valid public certs from geotrust and installed it on my servers

    all devices are working well

    • Marked as answer by MohammadG Monday, April 29, 2013 8:47 AM
    Monday, April 29, 2013 8:47 AM