Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 4, 2015 3:27 PM
Got a new cert for our NPS server that was previously working fine until the old cert expired. Now getting reason code 300, which seems to indicate a malformed cert but can't get any additional details about what is malformed. I followed NPS Cert guidelines here, and have regenerated the cert more than once to make sure I'm not missing anything.
https://msdn.microsoft.com/en-us/library/cc731363.aspx
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: user
Account Name: user
Account Domain: domain
Fully Qualified Account Name: domain/user
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 24-C9-A1-CA-70-78:Wireless.Test
Calling Station Identifier: 58-3F-54-ED-EC-03
NAS:
NAS IPv4 Address: 10.xx.xx.xx
NAS IPv6 Address: -
NAS Identifier: 24-C9-A1-CA-70-78
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 63
RADIUS Client:
Client Friendly Name: controller
Client IP Address: 10.xx.xx.xx
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: radiusserver.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 300
Reason: No credentials are available in the security package
All replies (4)
Tuesday, November 10, 2015 12:42 PM âś…Answered
Anne, we're running a BYOD program so Cert is coming from a Public CA. I had them reissue multiple times since Reason code 300 points to a "malformed cert".
It appears that this was not the case though. I removed the NPS Role, reinstalled it, and restored the configuration from a export. Then it worked. Very strange.
Thursday, November 5, 2015 3:07 AM
Hi M.Dubya,
It seems that you are configuring certificates for PEAP in NPS policy. I have ever used the certificate that duplicated from web server certificate in CA for PEAP authentication, and it could work.
On CA server, in certificate template, find web server, right click duplicate template, in properties for new template, client Extensions, set Application policies: Server Authentication.
When enrolling the certificate on NPS server, configure the certificate's subject name> common name as the FQDN of the NPS server.
We may check if the certificates CN is the FQDN of the NPS server, and when NAS clients connect to the network used the FQDN name of the NPS server.
Best Regards,
Anne He
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Wednesday, November 11, 2015 2:28 AM
Hi M.Dubya,
It's glad to hear that you have solved the issue finally by reinstalling NPS role and it's kind of you to feed back here.
You may mark the resolution as answer, anyway reinstallation solved the issue.
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Wednesday, September 19, 2018 1:38 PM
The problem in my case was that I had imported the .crt certificate (without the private key) not the .p12