I've read through many threads in the forums, and looked at various design guides and configuration instructions, including the technet article often referenced, PEAP-MS-CHAP v2-based Authentication, but I am still stuck... I have a NPS setup on Windows Server 2008 R2. I have a policy setup and working and clients can authentication (Windows XP, Vista, 7) if the client configuration is changed to remove the setting for "Validate server certificate". I have a wildcard certificate "*.southplainscollege.edu" installed on the RPS server issued from Verisign. I created it with the server authentication role. The certificate is working for LDAPS and IIS/SSL connections without any problems from clients. But, I can't get the Windows PEAP clients to work. I do not want to join the clients to the domain as these are not college owned computers, but personal computers for students and employees. The only thing that might be missing is the certificate was not issued with the "SubjectAltName" tag. I just came across that option in an old technet article discussing IAS on Windows 2000/2003. How can I do troubleshooting on the clients to find out where this is failing. As stated, authentication works when "Validate server certificate" is unchecked, but when it is checked, client authentication fails (the user is continuously prompted for their username and password). Tim Winders | Associate Dean of Information Technology | South Plains College

Hello, Thank you for your post here. Similar issues are reported and it seems there is subject mis-match when you have "*.southplainscollege.edu" wild card certificates as the NPS server certificate. If possible, you may have a new certificate with the wild card name “.*.southplainscollege.edu" (note the . before *) and check how it works.

Dang... having another wildcard certificate issued isn't exactly "easy". *sigh* Do I need to have the SubjectAltName tag completed for RPS to work correctly?Tim Winders | Associate Dean of Information Technology | South Plains College

We have a whole heap of NPS servers running on Windows Server 2008 R2. The certificates needed by the NPS service is a certificate based on the "RAS and IAS Server" certificate template. This has a intended purpose of both Server and Client authentication whereas the Web Server(SSL) certificates are for Server authentication only. Secondly, some of the services don't like wildcard certificates. I have never tried a wildcard certificate with NPS but if its based on the correct template, it might work. Another thing that I have noticed with clients trying to use NPS is that they have to trust the root CA that has issued the certificate being used by the NPS service. Please make sure that you have all the proper certificates in the Trusted Root Certification Authorities container of the client computer.

We have a whole heap of NPS servers running on Windows Server 2008 R2. The certificates needed by the NPS service is a certificate based on the "RAS and IAS Server" certificate template. This has a intended purpose of both Server and Client authentication whereas the Web Server(SSL) certificates are for Server authentication only. Secondly, some of the services don't like wildcard certificates. I have never tried a wildcard certificate with NPS but if its based on the correct template, it might work. Another thing that I have noticed with clients trying to use NPS is that they have to trust the root CA that has issued the certificate being used by the NPS service. Please make sure that you have all the proper certificates in the Trusted Root Certification Authorities container of the client computer.

Thank you, Jai. I neglected to give a URL in my first post, but you can visit https://myspc.southplainscollege.edu to see how the wildcard certificate looks. This is not the server running NPS, but it is the certificate. The chaining is setup the same on all the servers, but it's a standard Verisign certificate, so the root CA should not be a problem. (I did have an issue with this on Windows Mobile phones using this certificate, I had to have the client import the verisign root CA to work properly, not sure if that's normal or an indication I have something setup wrong). If I were to get a new certificate issued, do you have a format for the .INF file used to create it? I also used the same certificate for my LDAPS and SMTP/S services and they are working without issue. When I look at the certificate in question in the Certificate MMC, the certificate shows "Server Authentication, Client Authentication" under intended purpose.Tim Winders | Associate Dean of Information Technology | South Plains College

Hi Tim, I'm just wondering if you ever figured out a solution to this problem. I am having the exact same issue - NPS on 2008 R2 server, I have set it up with a wildcard certificate as well, and I cannot get Windows clients to connect (Mac and iPhone seem to work though...). Thanks! Josh