AutoEnrolled certificates not working with NPS - EAP Type cannot be processed by the server
i've done quite bit of reading stage i'm @ , i'm happy have correctly configured, functioning 2 tier ca based on windows 2012 r2 offline root.
trying use certificates nps wireless user authentication. have created duplicate of default user certificate template , modified use client authentication , bumped settings client/server os compatibility , key strength.
enabled "do not automatically reenroll if duplicate certificate exists in active directory" didn't work expected (still resulted in multiple certificates per test user various computer sessions each person had).
made template in order use credential roaming , stopped issuing based on previous template. according following link credential roaming requires version 3 template can't set except @ time of template creation both templates still exist i'm issuing v3 one.
http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx
certificate template/autoenrollment appears function intended 1 instance of certificate type per user being enrolled , stored in ad although not consistently. right have none listed on user properties earlier had 1!
have problem certificates latest template don't work nps rules have setup. message "the client not authenticated because extensible authentication protocol (eap) type cannot processed server" in nps server security event log.
settings changed between 2 certificate templates compatibility certificate recipient - increased windows 7/server 2008 r2 windows xp/server 2003, provider category changed key storage provider , request hash changed sha256.
fyi our functional level parent domain containing ca/nps 2003, our oldest dc 2003 sp1 , newest 2012.
hope makes sense - let me know if more detail required provide ideas since mind has been turned pretzel reading cas, templates, autoenrollment , wireless authentication :)
hints
p.s. having bit of trouble understanding how certificate chosen. looks if have multiple valid certificates use whatever available in user store. authenticate certificates have 1 or more legacy online root cas on our domain current valid client authentication capable certificates.
glad figured out x509v3 certificates have nothing certificate template versions.
if have child domains, need make sure issuing ca account member of cert publishers group in each , every domain in forest (this privilege allows ca write certificate usercertificate attribute of user account).
due age of dcs, may have change cert publishers group global group domain local group enable ca computer account member of cert publishers group in different domain.
note in cases, cannot change grouptype directly global domain local group. in case, have change global group universal group , change universal group domain local group.
to this, follow these steps:
- type following command, , press enter: dsmod group <var class="sbody-var" style="box-sizing:border-box;">group distinguished name</var> -scope ucommand changes global group universal group.
- type following command, , press enter: dsmod group <var class="sbody-var" style="box-sizing:border-box;">group distinguished name</var> -scope lcommand changes universal group domain local group.
hth
brian
Windows Server > Security
Comments
Post a Comment