Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, May 18, 2012 1:41 PM
Hello all, I hope someone can help.
We have just implemented Wifi and are in the process of setting up 2008 NPS as our Radius server using PEAP.
Firstly - We do not have a PKI or internal CA and this is not an option.
So far I have it working well using a self signed cert to test it. I have now purchased a 3rd part cert and again, this works fine for XP SP3 clients. However, when Windows 7 clients try to connect it pops up an alert that states:
The server "blah" presented a valid certificate issued by "AddTrust External CA Root", but "AddTrust External CA Root" is not configured as a valid trust anchor for this profile.
I have researched this at great length and seem to simply end up going round in circles with no definitive answer.
I have added the *AddTrust External CA Root *certificate to the Enterprise NTAuth Store as per http://support.microsoft.com/kb/295663 using certutil, but this has made no difference.
I should point out that all machines belong to the same domain and this is purely for internal use.
Where am I going wrong?
Thanks
All replies (4)
Thursday, May 24, 2012 3:39 PM âś…Answered
Ok, so I've reviewed everything and it turns out I was importing the wrong certificate into the enterprise NTAuth store on the root of the forest!
I followed the Enterprise PKI instructions on KB 295663 logged in as our enterprise admin and added the COMODO High-Assurance Secure Server CA certificate to the **NTAuthCertificates **tab. The link to the Microsoft KB is here: http://support.microsoft.com/kb/295663
This resolved the '*not configured as a valid trust anchor for this profile' *error for all Windows 7 machines once they had been rebooted whilst connected to the domain to pick up the change.
Monday, May 21, 2012 9:06 AM
Hi,
Firstly, please verify that the Add Trust External CA Root was trusted in all clients. On the problematic computer, run the gpupdate /force to apply the domain policy. If the error still persists, run the following command to manually import the CA as trusted root certification authorities.
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
For more detailed information, please check the following KB article:
Windows Security Alert appears when connecting to a wireless network on a workgroup machine
http://support.microsoft.com/kb/2518158
In addition, you may also use group policy to distribute certificate to all clients in domain.
Use Policy to Distribute Certificates
http://technet.microsoft.com/en-us/library/cc772491.aspx
Best Regards,
Aiden
Aiden Cao
TechNet Community Support
Tuesday, May 22, 2012 7:28 AM
Thanks for the info Aiden but as per my original post:
All the machines are internal and on the same domain.
I have added the certificate to the Trusted Root Certificate store.
I have already imported the CA as a trusted root certification authority using certutil -enterprise -addstore NTAuth CA_CertFilename.cer on the machine
I still get the "...not configured as a valid trust anchor for this profile" prompt.
I haven't distributed the certificate through GP as I want to get it working on a test machines first.
The only way I have found to stop the prompt on connect is to create a manual profile in Manage Wireless Networks and in Protected EAP Properties tick AddTrust External CA Root from the list of Trusted Root Certification Authorities.
My dilemma is that we do not want to push the wifi config through group policy as we only want certain people to have it based on AD security group.
The goal is that we simply want the users to be able to click on the wifi network when it becomes available and connect as seamlessly as possible.
Is there a better way of doing this?
Monday, September 24, 2012 10:54 AM
Hi all,
I am looking to build a WLAN with a similar layout.
Do not I need certificates for Win7 workstations if I do not have internal CA and got only commercial CA certificate?
By other words would a certificate bought from VerySign be enough to roll out NPS/Radious WLAN with PEAP v2 encryption?
Regards, Ilkin
P.S.
Please ignore my question as I've just noticed PEAP-MS-CHAP v2 authentication method does not require the deployment of user and client computer certificates.