Greetings,
I have a few problems implementing a new NPS server on an existing infrastructure.
At this time, the client has the following :
- 3 DC 2008 Standard x86
- 1 DC 2012R2 Standard
- 9 RODC 2008 Standard x86
- 2 NPS Servers, both on a DC 2008 Std
- 1 CA on a DC 2008 Std (one of those hosting a NPS)
- No specific templates on the CA
- 2 Wifi controlers Cisco 5500 defined as Radius client on the NPS.
- NPS only used for Wifi authentication
Everything works quite well at this time but as they're planning a full 2012R2 migration, we have to move the NPS on the DC 2012R2.
I installed the NPS role on the 2012R2.
I exported the NPS configuration from one of the 2008 Std then copied the xml file to the new server. The import worked fine and I had everything back online. I changed the PEAP settings in order to use the 2012R2 server certificate.
I checked that the 2012R2 computer account was in the RAS/IAS AD group.
We then changed the configuration on the Cisco 5500 so that both controlers point to the new NPS only.
We stopped the two NPS hosted on the 2008 servers then tried a wifi connection.
That's when the problems started to occur. Our test laptop was not able to connect.
I have almost no trace in the system / NPS logs, except for some Info (NPS Event 6273 stating that the server refused access to a user).
I made a few more testing and saw multiple NPS Event 17 refering to Message-Authenticator. I checked my radius clients settings and unchecked the matching box which led to no more Event 17.
I activated CAPI2 log and tested again.
I found a few errors there including :
- CAPI2 Event 53 - unable to download disallowedcertstl.cab
- CAPI2 Event 11 - Revocation function was unable to check revocation because the revocation server was offline
I checked again the certifacte store on the 2012R2 NPS and all required certificates were good :
- Personnal Store : One certificate from the Domain controler template and one from the Computer template
- I have a valid certificate in the root certification authority
However in the Non authorized certificates store, under trusted certificates list, I have an entry which is quite weird "Delivered by unknown, friendly name None"
Do i have to update the disallowedcertstl.cab in order to have everything working?
I am a bit out of ideas now.
thanks