none
non-domain computer certificate authentication in NPS RRS feed

  • Question

  • Hi all!

    I need to secure my wifi network, and was tasked with wpa2-eap aes security level.

    I'm using NPS on w2008 and everything is fine with domain members, computer authenticates with computer certificate  before user logon and it's accessible through wifi, after logon user reauthenticates by user's certificate.

    On non-domain computer it's ok with user certificate, BUT it can't authenticate by computer certificate.

    Event logged in security audit:

    "Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

    Security ID: MYDOMAIN\WIFIPC1$
    Account Name: wifipc1$
    Account Domain: MYDOMAIN
    Fully Qualified Account Name: MYDOMAIN\wifipc1$
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 54-E6-FC-DD-07-81:nur_eap
    Calling Station Identifier: 00-1C-BF-A0-1C-98
    NAS:
    NAS IPv4 Address: 172.27.143.253
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 0
    RADIUS Client:
    Client Friendly Name: ap2
    Client IP Address: 172.27.143.253
    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: nps01.mydomain.com
    Authentication Type: PEAP
    EAP Type: Microsoft: Smart Card or other certificate
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 16
    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

    I have following configuration:

    1) on connection request policy

    conditions - wireless-other or wireless-ieee 802.11

    setting - attribute cutting realm "host/" and replacing ".mydomain.com" with $. Otherwise non-domain members (computers without cutting realm and replacing suffix with $ and users without cutting realm) get error - "The specified user account does not exist.".

    2) on network policies

    overview - by default, grant access, ignore dial-in properties.

    conditions  - wireless-other or wireless-ieee 802.11

    constraints - athentication method PEAP only with eap-type - Smart Card or other certificate. That's only allowed method for me, as one of the most secured, please don't offer me other methods.

    I use enterprise CA on w2003 with AD 2008 level and enroll manually certificates for non-domain computers using cloned computer or workstation templates where I can provide names in request, also i've created computer account with similar name which provided in certificate with additional domain suffix. Clients are configured to use computer or user authentication, computer only was tried also. Also i've tried to use certificate mapping on computer account without succes. 




    • Edited by Tumerskiy Monday, February 20, 2012 11:51 AM
    Monday, February 20, 2012 4:42 AM

Answers

  • Hi,

    I've checked with an 802.1X expert here (Clay) and it is possible to do this. There are two ways -

    First method:

    1. Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
    2. Export the cert with the private key.
    3. Import on all workstations that require it.

    Second method:

    1. Create an account in AD.
    2. Issue a certificate from a template that allows the private key to be exported.
    3. Using name mappings attach the certificate to the account.
    4. Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com.
    5. Install certificate on target workstation.

    The first method is relatively easy but it uses a single certificate on multiple devices and the certificate doesn't correspond to the name of the computer.

    The second method is more secure, but more difficult to implement for multiple computers.

    I hope this helps,

    -Greg

    Monday, February 20, 2012 6:27 PM
    Owner

All replies

  • Hi,

    I am not sure I understand what you are trying to do. A domain member computer has a computer account in Active Directory. A non-domain-joined computer doesn't have this. When you perform computer authentication, the computer account is checked in Active Directory. It is expected that a non-domain-joined computer will fail to authenticate because the account doesn't exist.

    -Greg

    Monday, February 20, 2012 8:17 AM
    Owner
  • Hi Greg!

    If you read my post carefully, you might have noticed:

     "i've created computer account with similar name which provided in certificate with additional domain suffix"

    I'm trying to register in wpa2-eap wifi network non-domain computer by computer certificate which issued by enterprise CA in windows 2008 AD.

    Problem is in mapping of credentials, computer certificate and computer ad object (account).

    Anyway thanks for attention )


    • Edited by Tumerskiy Monday, February 20, 2012 8:42 AM
    Monday, February 20, 2012 8:39 AM
  • Hi,

    I am not an expert on this, but I think that if you artificially create a computer account in AD, it does not create the correct security identifier (SID).

    For example, if I create two computers that both have the same name, join one of them to the domain, then turn it off and join the other to the domain - the first one will no longer be able to log in because the SID is incorrect. Have you read somewhere that you could do it this way?

    -Greg

    Monday, February 20, 2012 8:50 AM
    Owner
  • Well the question is in the way of correct computer account creation and certificate enrollment for that case.

    Anyway I have successfull user certificate authentication, which is configured in the same maner.

    Every step-by-step i've found in internet just tells to create a computer account and manually request certificate... and thats all, obviously 

    Monday, February 20, 2012 8:59 AM
  • Hi,

    I've checked with an 802.1X expert here (Clay) and it is possible to do this. There are two ways -

    First method:

    1. Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
    2. Export the cert with the private key.
    3. Import on all workstations that require it.

    Second method:

    1. Create an account in AD.
    2. Issue a certificate from a template that allows the private key to be exported.
    3. Using name mappings attach the certificate to the account.
    4. Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com.
    5. Install certificate on target workstation.

    The first method is relatively easy but it uses a single certificate on multiple devices and the certificate doesn't correspond to the name of the computer.

    The second method is more secure, but more difficult to implement for multiple computers.

    I hope this helps,

    -Greg

    Monday, February 20, 2012 6:27 PM
    Owner
  • Hi, thanks for help! Clay was right.

    I used second method, and registered SPN with "setspn -r pcname", and successfully registered computer by machine certificate. That's great! Problem is solved!

    Tuesday, February 21, 2012 8:56 AM
  • hi,

    i have exactly the same "problem"...

    the answer from greg was very usefull for me but i could get that working.

    i have created an computer-account in AD similar to the name of my test-laptop (CERTTEST, no domain)

    i have exported the computer certificate of the laptop as type DES (also tested with BASE64) and mapped this to the computer account.

    i have registered the SPN with the command "setspn -r certtest" the output and adsiedit told me that "HOST/CERTTEST" and "HOST/CERTTEST.NETZ502.LVNBW" is mapped to the computer-account (NETZ502.LVNBW is my domain)

    in the eventlog i could not see any entry.... i only could look in the traces (activated with the command "netsh ras set tra * en")

    on the laptop i get an "schannel" error with the ID 36870, errorcode 0x8009030d, error state 10003

    what could be the problem?

    best regards,

    bernd

    Monday, August 13, 2012 1:27 PM
  • Hi,

    I've read your post with great interrest, but still have one question:

    How can you use NPS to authenticate the clients using certificates when you have lots of non-AD-Clients, like VoIP Telefons and so on. Normally you dont want to add these numberous of  (100+) hosts to the AD.

    With other RADIUS Servers you could utilize the Subject name and OU's on the certificate to provide segmentation/different network access without having to register a "dummy host" for each client in the ad?

    Are there any way you could utulize "pre-installed" OEM certificate on devices to authenticate, without having to add the "dummy"-hosts to ad and map the certificate to the AD account?

    Best Regards

    Jarle

    Monday, September 24, 2012 9:51 AM
  • Hi Guys,

    We have two-tier CA in our organization.
    I installed NAP service and added Cisco router as RADIUS client.

    How to setup that domain machines and non-domain machines (including smart phones) can connect to wireless network only if they have computer certificate?

    I dont know how to setup things so that non-domain machines can connect to network, how to create certificate for this machines?
    What type of certificate we need to use and how to do request on CA for non-domain machines...

    Please can you help?... maybe you have some step by step material?

    Tuesday, July 9, 2013 8:52 AM
  • I know that this thread is little obsolete, but it's perfect and I didn't find anything more usefull, but the grande finale was to use Name Mapping in AD console (right click the computer object) and map the certificate file with the computer object. After that everything works smoothly. And the credential mismatch vanished.
    Tuesday, October 6, 2015 12:38 PM
  • Hi

    I can only get this working using the second method when I use an AD user account and not computer account. Should it be possible using a computer account? Regards

    Monday, October 9, 2017 12:57 PM
  • Hi David

    Did you have the FQDN of the client in the Subject Alt Name of the certificate? I can only get it to work with an Active Directory user account and not a computer account.

    Regards

    Monday, October 9, 2017 1:56 PM
  • Thank you for posting these steps. Could you elaborate a bit about a few of them?

    This may sound like a stupid question, but in the second method, step 2... I have an EAP certificate template for device auth and have made the private key exportable. How do I issue a cert from it?


    • Edited by Joe Rella Thursday, May 16, 2019 4:09 PM
    Thursday, May 16, 2019 4:08 PM