I have multiple NPS network policies using Microsoft PEAP with a self-signed certificate. When our internal CA automatically renews the certificate, all of the network policies switch to another (it appears, random) certificate installed on the NPS server. When this happens wireless clients cannot authenticate, wreaking havoc in our infrastructure.
The certificate template upon which the self-signed certificate is based automatically renews the certificate 6 weeks prior to expiration. To mitigate this issue I've set a reminder for myself to edit the NPS policies and select the renewed certificate. But I'm an IT firefighter, and sometimes fires keep me from routine tasks, even important ones.
Is there a way to tell NPS to use the renewed certificate instead of picking some certificate at random?
It's not possible to control which certificate NPS will select when the certificate configured for use by a Network Policy is automatically renewed. Therefore, the best course of action is to do the following:
This problem has bugged me for years. I think I finally found a solution involving modifying the text of the ias.xml config file. I wrote a PS function that replaces the cert thumbprint in the xml file with the nps certificate's thumbprint. We run this function on the master server if the config file date in System32\ias is older than the cert's notbefore date. We also run the routine on every slave server to which we sync the master's config before importing the config. We use PEAP MSCHAPv2 so please verify the thumbprint is in the same location in your config file. The xml element with the config is called msEAPConfiguration. All of our PEAP configs had a length of 1728. The certificate thumbprint starts at index 72 and is 40 characters long. There were some with a shorter config but I haven't investigated them yet.