Hello, I setup a domain controller (Windows 2008 and not Windows 2008 R2 - Most of the documentation on the web refer to Windows 2008 R2) with NPS (Network Policy Server) and Stand Alone CA to authenticate my Wireless users (Cisco WLAN) with their domain credentials. I configured everything on the NPS. The problem: When I try to configure the EAP Types: Microsoft Protected EAP (PEAP) I am getting the following error: Can someone help me solving this problem? Thank you, Morris

The certificate must have the subject name populated with the DNS name in the subject name. Optionally, the certificate can also have the same DNS name in the Subject Alternative name. The EKU must be for Server Authentication. If you look at the RAS and IAS Server certificate template in AD, that is the required settings. The certificate cannot have an empty subject name and a populated SAN (since the NPS server like the IAS server before it, does not follow RFC 5280 properly) Brian

Your server probably has a Domain Controller Authentication certificate which has the empty subject name and populated SAN Brian

Brian, Thank you for your quick reply. I don't understand where should I go and do here? Morris

Please explain. Morris

PEAP requires that a certificate be on the server that meets the following requirements: - Subject is populated with the DNS name of the PEAP server - EKU is populated with Server Authentication and Client Authentication - Subject Alternate Name is populated with the same DNS name as the Subject - Key Usage is is set to Digital SIgnature and include key encipherment (allowing key exchange only with key encryption) and the extension is marked as critical Verify that your certificate meets these requirements. My guess, is that because you are on a DC, that the certificate you are attempting to use is the one issued to the domain controller, based on the Domain Controller Authentication template. This template does not have the subject populated with the DNS name and is not usable by the NPS server. Per RFC 5280, if the subject is blank and the SAN is populated and marked critical, the service/application should use the name asserted in the SAN. NPS does not does this, and requires that the subject be populated. Brian

Brian, I found the solution to my issue. The problem is that I installed a stand alone CA on my domain controller and had manually create the certificate and issue it. Here are the steps I took to solve the problem: ##Create a manual certificate request## Open Notepad copy below and save it as c:\CA\cert.inf [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=domaincontroller.domain.com" ; must be the FQDN of domain controller ; EncipherOnly = FALSE - This is only for Windows 2008 server on Windows 2003 remove ; Exportable = FALSE ; TRUE = Private key is exportable KeyLength = 2048 KeySpec = 1 ; Key Exchange KeyUsage = 0xA0 ; Digital Signature, Key Encipherment MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = CMC [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 ##Run the next command## C:\CA>certreq -new cert.inf request.req CertReq: Request Created ##Open Certificate Authority## 1. Go to pending requests and issue the certificate. 2. Open the issued certificate --> Go to details --> Copy to a file --> Save it to c:\CA\server auth cert.cer ##Accept the certificate## C:\CA>certreq -accept "server auth.cer" ##Open Certificates MMC console## Go to Personal --> Certificates --> find the certificate and see if it has server authontication and client authontication is there. That's all. Morris

Yes, the certreq.inf that you created matches what I stated in my email Brian

Hi Morris, I realize this is an old thread so please forgive me but I am trying to implement NPS RADIUS (EAP-TLS) on Windows 2008 R2 using a standalone CA (on the same server). I have a thread here <http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/ad51be0d-9184-4424-847e-ff70f745832b> but am so far unsuccessful. Were you able to get it working with your standalone CA? Do users who want to connect by Wi-Fi simply install the same certificate on their machine? I cannot seem to find any Microsoft documentation for NPS RADIUS using a standalone CA so I would greatly appreciate any advice you can offer. Thanks.

Barkley, Everything is working for me just fine. Please follow my reply to Brian. Morris

This was my certreq.inf below: [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=CAservername.domain.com" KeySpec = 1 KeyLength = 2048 KeyUsage = 0xa0 ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = CMC Exportable = TRUE MachineKeySet = True UseExistingKeySet = FALSE [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 OID = 1.3.6.1.5.5.7.3.2 After generating the certificate on my Standalone CA and exporting it I then installed it to the client but still am not able to connect. Iinformation about getting this to work with a Standalone CA. cannot find any If you have a link to any guide or walk-through that you followed to complete this which you can share I would greatly appreciated it. Thanks very much.

Hello Morris, I hope you or anyone who checks this will reply. I am very Novice to Windows Servers. I have configured NPS on S2008R2 and CA is my different Domain controller. I also faced same issue that you resolved, which was resolved at my side after reimporting Server Auth Certificate with Private Key as exporting Certficate with .Cer losses private key but .pfx file kept it intact. Please correct me if i am wrong. Now after this i faced another error that " A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider." I am trying to use Peap with TLS only and authentication should be only based on Certifecates. I am avoiding MSCHAP at all.I have Server authenication Cert on NPS Certifecate store(User/Computer account for Personal and Trusted store). And certifecate was requested from my computer for Client authentication and is stored in(User/Computer account for Personal and Trusted store). I do not have CA or Sub_CA configured on NPS.