2

I'm trying to setup an AD server running the NPS service so that both AD and non-AD machines see the certificate as valid when authenticating to the wireless network. I picked up a cert from GoDaddy and the non-AD machines are happy with it, but the AD machine I'm testing with is complaining that it is not a valid certificate.

How do I configure NPS so that both AD members and non-AD members are happy with the certificate?

EDIT: I'm getting the error message mentioned here: http://support.microsoft.com/kb/2518158 "The server “” presented a valid certificate issued by “”, but “” is not configured as a valid trust anchor for this profile."

I'd rather not change all the AD clients to make this work. I'd prefer a solution that works by changing the server.

flickerfly
  • 2,533
  • 3
  • 24
  • 27

1 Answers1

1

You need to distribute the root certificate (and all intermediate certs) to all your domain clients via Group Policy.

Import cert

In addition, your domain clients will need the ability to check the revocation status of these certificates via the CDP (CRL Distribution Point) listed on the certs. If your domain clients don't have access to the CDP (i.e. they don't have internet access) they will not be able to check the revocation status of a Godaddy certificate.

enter image description here

This is what an Online Responder (using Online Certificate Status Protocol) is for -- allowing machines in complicated network scenarios that can't access a CRL directly to use the Online Responder as a CRL-checking proxy server.

http://technet.microsoft.com/en-us/library/cc770413(v=WS.10).aspx

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Thanks for quickly jumping on this. So these machines will have to sync up with GroupPolicy before they can connect without getting this error? I was hoping for some way to offer valid AD certs to the AD members and only use the GoDaddy ones for non-AD members to avoid this error showing up to clients. Any chance? – flickerfly Aug 26 '14 at 19:59
  • I don't think so... unless you deployed two separate endpoints (using different certs) and told all your public users to access the VPN via one endpoint, and all your internal clients to access it via another. – Ryan Ries Aug 26 '14 at 20:08