I have configured computer authentication on WiFi connect to company network, using the microsoft nps server, group policy certificate auto-enrollment and group-policy wifi config. Has been working just fine for several years.
Recently my laptop started showing this prompt upon each reboot/reconnect: "Continue connecting? If you expect to find X in this location, go ahead and connect"
So I checked the server thumbprint in the CA issued certificates, and it matches the thumbprint of the current and valid certificate assigned to the NPS server.
Also, this same certificate (with same expiration date) is configured in NPS server as cert to be used to prove identity:
Also, the root CA is configured in GPO as trusted root for NPS auth:
Furthermore the STL-SVRADMIN-CA is added as a trusted root CA on the laptop showing the action needed prompt:
The same cert is used for the IIS server on SVRADMIN which is validated just fine:
So the question: Why is this laptop prompting me for a go-ahead? It seems like it should be able to verify the NPS identity by the CA configured and server thumbprint shown in the prompt.
Alright so I found the solution, with some help from @GregAskew for pointing me in the right direction.
Apparently when you enter the FQDN in the "Protected EAP properties", this FQDN is case sensitive. (Can you believe it?)
After i changed the domain suffix from lowercase stl.local to uppercase STL.local, then issued a
gpupdate /force
and rebooted my laptop, everything worked again as before.