We have a Meraki wireless infrastructure using 802.1x to authenticate Windows clients against MS Network Policy Server using certificates issued by our internal root CA. The root cert and wireless settings are pushed out via group policy. This has worked fine for a number of years, with clients of all versions from Win 7 to 10. The root CA is running 2012 (not R2), if that matters.
The time has come to move the NPS service to new servers, running 2016. NPS is installed, and I've migrated the config from the old servers to the new. All settings match, as expected since it was an export/import.
NPS on 2016 has a server cert for "RAS and IAS" issued by our root CA via auto-enrollment for RAS servers. The same cert template is distributing certs to our 2008 R2 NPS servers. Looking at the certs on the old servers and new, the only difference is the server name. All other settings such as key size, etc. are the same.
Anyway, when wireless clients try to authenticate, they are failing. The NPS server shows event ID 6273, with a reason code of 262 and error of "The supplied message is incomplete. The signature was not verified."
This points to a cert error - I get that - but I cannot find any reason for it. The server cert is configured correctly using a cert template that I know works. Clients trust the root CA (and it's the same root CA for the entire domain.) If I copy the server cert from the 2016 NPS server down to a client, the cert shows as valid, trusted up to the internal root CA.
For the heck of it, I installed NPS on a 2012 R2 box. Once I added the server to the RAS group, it auto-enrolled with a cert. I imported the same config that I brought over to 2016 and the 2012 R2 NPS worked right away. Took maybe two minutes tops to get configured. Yet the same process on 2016 is not working.
I've already been through all the MS documentation and anything else I can find but have hit a brick wall. Any suggestions would be greatly appreciated.
Thanks!
