You can use the following procedure to install Active Directory (R) Certificate Services (AD CS) and to register the server certificate on a server that is running Network Policy server (NPS). If you deploy certificate-based authentication, the server running NPS must have a server certificate. During the authentication process, these servers send their server certificates to the client computer as proof of identity. (if NPS and ad are two servers, NPS registration needs to be logged on as a domain user to register)
Configuring the NPS server certificate enrollment process is divided into three phases:
Install the AD CS server role. You need to perform this step only if you have not yet deployed a certification authority (CA) on your network.
Configure server certificate templates and autoenrollment. The CA will issue the certificate based on the certificate template, so you must configure the template for the NPS server certificate before the CA issues the certificate. If autoenrollment is configured, when Group Policy is refreshed on a service running NPS, all servers running NPS on the network will automatically receive the server certificate. If more servers are added at a later time, these servers will also receive the server certificate automatically.
Refresh Group Policy on the server that is running NPS. When you refresh Group Policy, the server that is running NPS receives two certificates. One is a server certificate that is based on the template that you configured in the previous step. This certificate is used by NPS to prove its identity to client computers that are attempting to connect to the network. The other is the CA certificate that is automatically installed on the server that is running NPS in the Trusted Root Certification Authorities certificate store. NPS uses this certificate to determine whether to trust the certificate it receives from other computers. For example, if EAP-TLS is deployed, the client computer will use a certificate to prove its identity to the server running NPS. When the server receives the certificate from the client computer, the trust is established for the certificate, because the server running NPS will find the CA certificate to be issued in its respective trusted Root Certification Authorities certificate store.
In addition to automatically registering your NPS server certificate, you may need to enroll a certificate by using one of the following methods:
Because the NPS server certificate is a computer certificate, you must import the certificate into the certificate store of the local computer (not the current user).
Warning |
|
|
If the NPS server certificate is incorrectly installed in the current User certificate store, NPS cannot use the certificate for PEAP or EAP authentication because the private key of the certificate has an incorrectly configured access control list (ACL), which prevents the local system's key access. You can use the Certificates MMC snap-in to verify the location of the NPS server certificate. If the NPS server certificate is in an incorrect location, do not attempt to drag and drop the certificate from the current user certificate store to the local computer certificate store. The private key of the certificate will still have an incorrectly configured ACL. Use AD CS to revoke the certificate and issue the new server certificate to the server running NPS. |
To deploy the CA and autoenroll the NPS server certificate, follow these procedures:
This article is from the "Yanhuan" blog, make sure to keep this source http://yanhuan.blog.51cto.com/1761673/1794994
NPS automatically registers AD servers