"A certificate could not be found" when configuring EAP on IAS/RADIUS/NPS on a 2008 R2 Domain Controller

Issue

When configuring EAP in Network Policy Server (IAS/RADIUS) on a Windows Server 2008 R2 Domain Controller, under Network Policies | Constraints | Authentication Methods | Microsoft: Protected EAP (PEAP) | Add, the following warning is reported:

"Cannot configure EAP
A certificate could not be found that can be used with this Extensible Authentication Protocol"


Using the Certificates (Local Computer) MMC Snap-in, a valid Domain Controller Authentication certificate is seen.

Requesting a Domain Controller certificate works, but is removed at the next Group Policy refresh, as it is superseded by the Domain Controller Authentication certificate, which breaks EAP.

Resolution

The Domain Controller Authentication certificate is not valid for EAP, as the template specifies no subject which is a requirement for EAP:

Certificate Requirements for PEAP and EAP
http://technet.microsoft.com/en-us/library/cc731363.aspx
"If you issue a certificate to your server running Network Policy Server (NPS) that has a blank Subject name, the certificate is not available to authenticate your NPS server."

The issuing Certificate Authority needs the template updated to provide a certificate. This is only possible on Enterprise Edition of Windows Server 2008 R2.

From the Certificate Authority MMC console:

- Right click on Certificates and select Manage from the context menu
- Double click on the Domain Controller Authentication template
- Select the Subject Name tab
- Select DNS Name for Subject name format
- Click OK

From the DC/NPS Server:

- gpupdate /force
- Renew the certificate from the Certificates (Local Computer) MMC Snap-in.
- Double click on the reissued certificate
- Select the Details tab
- Check the Subject field is not blank

The certificate should now be available for selection.

References

Products

Microsoft Windows Server 2008 R2 SP1
Microsoft Windows Server 2008 R2 RTM

Created: 14th April 2011
Updated: 14th April 2011


© 2005-2021 Jamie Morrison