我已经使用 microsoft nps 服务器、组策略证书自动注册和组策略 wifi 配置在 WiFi 连接到公司网络上配置了计算机身份验证。几年来一直工作得很好。
最近我的笔记本电脑在每次重新启动/重新连接时开始显示此提示:“继续连接?如果您希望在此位置找到 X,请继续连接”
因此,我检查了 CA 颁发的证书中的服务器指纹,它与分配给 NPS 服务器的当前有效证书的指纹匹配。
此外,这个相同的证书(具有相同的到期日期)在 NPS 服务器中配置为用于证明身份的证书:
此外,根 CA 在 GPO 中配置为 NPS 身份验证的受信任根:
Furthermore the STL-SVRADMIN-CA is added as a trusted root CA on the laptop showing the action needed prompt:
The same cert is used for the IIS server on SVRADMIN which is validated just fine:
So the question: Why is this laptop prompting me for a go-ahead? It seems like it should be able to verify the NPS identity by the CA configured and server thumbprint shown in the prompt.
Alright so I found the solution, with some help from @GregAskew for pointing me in the right direction.
Apparently when you enter the FQDN in the "Protected EAP properties", this FQDN is case sensitive. (Can you believe it?)
After i changed the domain suffix from lowercase stl.local to uppercase STL.local, then issued a
gpupdate /force
and rebooted my laptop, everything worked again as before.