I'm trying to setup an AD server running the NPS service so that both AD and non-AD machines see the certificate as valid when authenticating to the wireless network. I picked up a cert from GoDaddy and the non-AD machines are happy with it, but the AD machine I'm testing with is complaining that it is not a valid certificate.
How do I configure NPS so that both AD members and non-AD members are happy with the certificate?
EDIT:
I'm getting the error message mentioned here: http://support.microsoft.com/kb/2518158
"The server “” presented a valid certificate issued by “”, but “” is not configured as a valid trust anchor for this profile."
I'd rather not change all the AD clients to make this work. I'd prefer a solution that works by changing the server.
Best Answer
You need to distribute the root certificate (and all intermediate certs) to all your domain clients via Group Policy.
In addition, your domain clients will need the ability to check the revocation status of these certificates via the CDP (CRL Distribution Point) listed on the certs. If your domain clients don't have access to the CDP (i.e. they don't have internet access) they will not be able to check the revocation status of a Godaddy certificate.
This is what an Online Responder (using Online Certificate Status Protocol) is for -- allowing machines in complicated network scenarios that can't access a CRL directly to use the Online Responder as a CRL-checking proxy server.
http://technet.microsoft.com/en-us/library/cc770413(v=WS.10).aspx