This is the scenario I'm running with this issue:
I have a SERVER1 as domain "domain.com" which it has the certification role as a CA also AD + DNS, I have another SERVER2 with NPS and RAS enabled, this scenario is to try NAP trhough VPN.
The SERVER2 is getting the CA from SERVER1 which is stored on the Personal store on SERVER2, which is a "Computer" cert.
Both servers are Win 2k8 R2
This SERVER2 has 2 Network, Private and Public IP, the Client it is a Win 7 Professional, already set up with the credentials received from AD DS, because this Client is part of the domain.
I am using an Extensive Authentication Protocol (EAP), to be more specific SECURITY TAB on my VPN connection, Microsoft Protected EAP (PEAP) (ecription enabled) and the check from "Fast reconnect has been disabled".
I have torubleshoot the most I can, and searched over the Forum, but luck yet, I'm getting this error
"The server "SERVER2.Domain.com" presented a valid certificate issued by "Domain-SERVER1-CA", but "Domain-SERVER1-CA" is not configured as a valid trust anchor for this profile."
What might be causing this? because is not allowing the connection at all.
The NAP only check if Firewall is enabled by the way.
Thank you in advanced for any help you might have.
And from SERVER2 on the Event viewer I'm getting this error:
"The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided
below. Correct the problem and try again.
The certificate's CN name does not match the passed value."
Additional Event from NPS on SERVER2:
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\User
Account Name: DOMAIN\User
Account Domain:DOMAIN
Fully Qualified Account Name:DOMAIN\User
Client Machine:
Security ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Account Name: CLIENT.Domain.com
Fully Qualified Account Name:DOMAIN\CLIENT$
OS-Version: 6.1.7601 1.0 x86 Workstation
Called Station Identifier:W.X.Y.Z
Calling Station Identifier:W.X.Y.R
NAS:
NAS IPv4 Address:O.P.Q.R
NAS IPv6 Address:-
NAS Identifier:SERVER2
NAS Port-Type:Virtual
NAS Port: 257
RADIUS Client:
Client Friendly Name:SERVER2
Client IP Address:O.P.Q.R
Authentication Details:
Connection Request Policy Name:VPN connections
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:SERVER2.Domain.com
Authentication Type:PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier:XXXXXXX
Logging Results:Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.