Reset Search
 

 

Article

Windows Security Alert appears when connecting to a wireless/wired network on a Domain machine for the first time

« Go Back

Information

 
TitleWindows Security Alert appears when connecting to a wireless/wired network on a Domain machine for the first time
Symptoms
Pop up alert messages will appear when connecting a client to the network for the first time
The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, 
but “<CA name>” is not configured as a valid trust anchor for this profile. 
Further, the server “<Authentication server>” is not configured as a valid NPS server to connect to this profile.

 
Environment
  • 802.1x
  • Validate server certificate
  • Extreme Control (NAC)
Cause
A Windows 7, 8, 8.1 802.1x client that does not have a pre-configured 802.1x wired or wireless profile will prompt that it does not trust the certificate chain presented, even if the certificate chain is valid and the intermediate and/or root certificates are stored in the appropriate client PC certificate stores.
 
This is documented @ https://support.microsoft.com/en-us/kb/2518158.

This does not impact Windows 10 as this platform trusts private CA’s in a different matter.
 


 
Resolution
Essentially there are two locations to add ‘trusted’ certificates, either at the user level or the enterprise level. For any private CA chain to be trusted to avoid the trust anchor alert either:
 
  1. Manually pre-configure a wired / wireless 1x profile with the appropriate certificates installed and set. This is a tacit ‘acceptance’ that the private CA’s are truly to be trusted.
  2. Manage the client PCs using AD / GPO to automatically provision / configure the 1x profiles. This will add the requisite certificates to the enterprise level certificate store which is required to avoid the trust anchor alert.
  3. Manually add the requisite certificates to the enterprise level certificate store on clients PCs PRIOR to the first connection to the environment to which they will be used.
  4. Use a secure on-boarding service that clientele will access which will automatically install requisite certificates and profile configuration on unmanaged client PCs.
 
All options require some manual staging / configuration of client PCs prior to the first attempt. This cannot be avoided.

 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255