Hi, I had a problem with PEAP clients failing whenever Validate server certificate was enabled in the settings for the wireless network. I'm using AD and my environment is relatively simple with a single domain and two sites. The DC in the primary site is Server 2003 Enterprise R2 32-bit SP2 and has all FSMOs. The secondary site DC is Server 2008 R2 RTM. I have a server in the primary site running Server 2008 Enterprise 32-bit SP2 with NPS, ADCS and IIS (for web enrollment). ADCS seems to be working well with auto and manual enrollment working, and all machines and users in the domain getting the CA cert in their trusted root CA list. After configuring the NPS and the wireless APs, I manually (not via GPO) configured the wireless network on multiple clients (Windows 7 and XP) and found that enabling Validate server certificate prevented clients from connecting. IIRC, sometimes it would connect if a domain admin was logged on to the client, but it usually failed, and it always failed when a regular user was logged on. On the NPS/ADCS machine's security log, the reason code was 262: "The supplied message is incomplete. The signature was not verified." I did put the correct FQDN of the NPS/ADCS machine in Connect to these servers, and selected the correct CA cert in the list in Trusted Root Certification Authorities. KB 933430 looked possibly relevant so I set SendTrustedIssuerList = 0 on the NPS/ADCS machine which didn't help. KB 838502 also looked relevant. Solution 2 (manually import CA cert to client) was not appropriate (the cert was automatically added), but Solution 1 (disabling Validate server certificate) did allow clients to connect. This was not ideal so I kept working on the issue. One time when connecting to the network with Validate server certificate enabled, I got a prompt about whether or not to accept the certificate, but the certificate was not what I expected. It appeared to be self-signed and the subject on the cert was "WMSvc-QUIMBY" (quimby is the NPS/ADCS machine's hostname and from The Simpsons if you were wondering :-) ). I expected that the cert should be issued by the CA, which clients trust. I checked the NPS/ADCS machine and found the WMSvc-QUIMBY cert in the cert store alongside the ones issue by the CA. I don't recall ever using the web management service and it wasn't running when I realized there was a cert for it. I configured the service to use a cert issued by the CA instead of the WMSvc-QUIMBY cert, then selected Disable all purposes for this certificate in the properties of the WMSvc-QUIMBY cert. After rebooting the NPS/ADCS machine, clients could successfully connect with Validate server certificate enabled. Since this appears to have fixed the issue, I believe this self-signed cert was conflicting with or taking precedence over the one issued by the CA for server authentication. Is my theory correct or am I way off? Is having multiple certs with the same purpose installed/enabled generally a bad idea and known to cause problems?Is my fix correct, appropriate, and safe? Is the WMSvc-QUIMBY cert needed at all and can/should I delete it outright?Is there some way to configure the order of certs or precedence to use for server authentication?Any other thoughts/suggestions of the experts? Besides having NPS and ADCS on the same machine being a security risk?

Thanks, I found the option to choose the cert in the policy. For reference, in the NPS snap-in simply go to: Policies > Network Policies > open Properties for the policy > Constraints tab > Authentication Methods > Edit PEAP > select the cert under Certificate issued Also thanks for the heads-up about the cert expiry.