You can use these procedures to install Active Directory® Certificate Services (AD CS) and enroll a server certificate to servers running Network Policy Server (NPS). If you deploy certificate-based authentication, servers running NPS must have a server certificate. During the authentication process, these servers send their server certificate to client computers as proof of identity.
The process of configuring NPS server certificate enrollment occurs in three stages:
- Install the AD CS server role. This step is
required only if you have not already deployed a certification
authority (CA) on your network.
- Configure a server certificate template and
autoenrollment. The CA issues certificates based on a
certificate template, so you must configure the template for the
NPS server certificate before the CA can issue a certificate. When
you configure autoenrollment, all servers running NPS on your
network will automatically receive a server certificate when Group
Policy on the server running NPS is refreshed. If you add more
servers later, they will automatically receive a server
- Refresh Group Policy on servers running NPS. When Group
Policy is refreshed, the servers running NPS receive two
certificates. One certificate is the server certificate based on
the template that you configured in the previous step. This
certificate is used by NPS to prove its identity to client
computers that attempt to connect to your network. The other
certificate is the issuing CA certificate, which is automatically
installed on the servers running NPS in the Trusted Root
Certification Authorities certificate store. NPS uses this
certificate to determine whether to trust certificates it receives
from other computers. For example, if you deploy Extensible
Authentication Protocol-Transport Layer Security (EAP-TLS), client
computers use a certificate to prove their identities to the server
running NPS. When the server receives a certificate from a client
computer, trust for the certificate is established because the
server running NPS finds the issuing CA certificate in its own
Trusted Root Certification Authorities certificate store.
Rather than autoenrolling an NPS server certificate, you might want to enroll the certificate by using one of the following methods:
- Manually import an NPS server certificate
from floppy disk or compact disc into the NPS certificate
- Use the Certificate Services Web enrollment
tool to obtain the NPS server certificate.
Because the NPS server certificate is a computer certificate, you must import the certificate into the certificate store for the Local Computer rather than for the Current User.
If the NPS server certificate is erroneously installed in the Current User certificate store, NPS cannot use the certificate for EAP or Protected EAP (PEAP) authentication because the private keys of the certificate have an incorrectly configured access control list (ACL) that prevents key access by the local system. You can verify the location of the NPS server certificate by using the Certificates Microsoft Management Console (MMC) snap-in. If the NPS server certificate is in the incorrect location, do not attempt to drag and drop the certificate from the Current User to the Local Computer certificate store. The private keys for the certificate will still have an incorrectly configured ACL. Instead, revoke the certificate using AD CS and issue a new server certificate to the server running NPS.
To deploy a CA and autoenroll NPS server certificates, perform the following procedures: