AutoEnrolled certificates not working with NPS - EAP Type cannot be processed by the server

-

hi all,
i've done quite bit of reading stage i'm @ , i'm happy have correctly configured, functioning 2 tier ca based on windows 2012 r2 offline root.

trying use certificates nps wireless user authentication. have created duplicate of default user certificate template , modified use client authentication , bumped settings client/server os compatibility , key strength.

enabled "do not automatically reenroll if duplicate certificate exists in active directory" didn't work expected (still resulted in multiple certificates per test user various computer sessions each person had).

made template in order use credential roaming , stopped issuing based on previous template. according following link credential roaming requires version 3 template can't set except @ time of template creation both templates still exist i'm issuing v3 one.
http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx

certificate template/autoenrollment appears function intended 1 instance of certificate type per user being enrolled , stored in ad although not consistently. right have none listed on user properties earlier had 1!

have problem certificates latest template don't work nps rules have setup. message "the client not authenticated because extensible authentication protocol (eap) type cannot processed server" in nps server security event log.

settings changed between 2 certificate templates compatibility certificate recipient - increased windows 7/server 2008 r2 windows xp/server 2003, provider category changed key storage provider , request hash changed sha256.

fyi our functional level parent domain containing ca/nps 2003, our oldest dc 2003 sp1 , newest 2012.

hope makes sense - let me know if more detail required provide ideas since mind has been turned pretzel reading cas, templates, autoenrollment , wireless authentication :)

hints

p.s. having bit of trouble understanding how certificate chosen. looks if have multiple valid certificates use whatever available in user store. authenticate certificates have 1 or more legacy online root cas on our domain current valid client authentication capable certificates.

glad figured out x509v3 certificates have nothing certificate template versions.

if have child domains, need make sure issuing ca account member of cert publishers group in each , every domain in forest (this privilege allows ca write certificate usercertificate attribute of user account).

due age of dcs, may have change cert publishers group global group domain local group enable ca computer account member of cert publishers group in different domain.

note in cases, cannot change grouptype directly global domain local group. in case, have change global group universal group , change universal group domain local group.

to this, follow these steps:

  1. type following command, , press enter:
    dsmod group <var class="sbody-var" style="box-sizing:border-box;">group distinguished name</var> -scope u
    command changes global group universal group.
  2. type following command, , press enter:
    dsmod group <var class="sbody-var" style="box-sizing:border-box;">group distinguished name</var> -scope l
    command changes universal group domain local group.

hth

brian



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more