Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 18, 2018 8:56 PM
Hello!
I am having a heck of a time getting a non domain joined computer (windows or mac) to work with eap-tls using machine certificates. Every time the laptop connects the event viewer on the NPS server shows Reason code 8 - specified user account does not exist". Which makes sense since the computer is not in the domain so it does not exist, as soon as i join it to the domain everything works as expected.
Is there something in the NPS server or in my ADCS certificate template that I can set so it will not check if the computer is in AD and just verify the certificate?
Cheers,
Paul
All replies (5)
Wednesday, September 19, 2018 2:09 AM
Hi,
Thanks for your question.
Please manually add the non domain user accounts into the AD and NPS allowed lists.
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, September 19, 2018 3:45 PM
Hey Travis,
Thanks for the reply i am trying to use machine certificates and non domain joined computers not user certificates.
I tried adding dummy computer objects but that didnt work either.
Cheers,
Paul
Thursday, September 20, 2018 9:13 AM
Hi,
You could refer to the following official article as your reference:
/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754198(v=ws.11)
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, September 20, 2018 8:14 PM
Hello Paul,
The article https://support.microsoft.com/en-us/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls initially seemed quite extensive/authorative, but Brian Komar wrote this in a Technet forum a few years ago:
There are some issues with the articles.
- The root CA certificate of the chain must be in the Trusted Root Store on both the client and the NPS/Radius server
- The CA that issued the client/server certificate must be in the NTAuth store of both the NPS/Radius Server and the client
- For a computer certificate, the certificate must include the client's DNS name as a SAN or as the Subject so that NPS can tie the authentication attempt to the client
- For a user certificate, the certificate must include the user's UPN so that NPS can tie the authentication attempt to the specific user account
Brian
The above link was one of those that Brian was referring to (i.e. one that has some issues).
When you added dummy computer objects, did you ensure that they had matching dNSHostName attributes?
Gary
Tuesday, September 25, 2018 4:33 PM
Hi Gary,
Thanks for the link, I was originally following this article (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements) for certificate requirements and i believe it says the same thing in regards to the SAN.
I did try creating a dummy computer object and setting a dNSHostName to match what i was putting in certificates but that did not work either.
I then found an article about getting an HP printer to work with 802.1x and they created a certificate for the printer and then a dummy user account which they then attached the certificate to using Name Mapping in ADUC. I was able to get that to work so that appears to be the only way i can get a non domain joined windows computer to authenticate.
Cheers,
Paul