question

Marcus-9726 avatar image
0 Votes"
Marcus-9726 asked ClementBETACORNE commented

Microsoft NPS for Multi-Forests with EAP-TLS

I'm deploying Microsoft NPS Windows Server 2019 in two-way trust multiple AD forests for secure wireless access using EAP-TLS. The design is as below:

Forest 1 (abc.com)
Forest 2 (XYZ.com)
One Microsoft NPS server (on abc.com)

Users in abc.com can authenticate to WIFI successfully using EAP-TLS. But users in XYZ.com failed to authenticate.

I have created another policy and included the domain users and computers group of xyz.com forest but still failed to authenticate. I have also added the NPS server computer object into RAS and IAS group of each AD forests.

Do I need to deploy a RADIUS proxy? Or is there any other configuration that I need to do in order to make it work?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered ClementBETACORNE commented

Hello,

Based on this article it is not mandatory to have a RADIUS proxy however they mention that it will be mandatory if you are using EAP-TLS with certificate :
"NPS supports authentication across forests without a RADIUS proxy when the two forests contain only domains that consist of domain controllers running Windows Server 2008, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. The forest functional level must be Windows Server 2008 or Windows Server 2003, and there must be a two-way trust relationship between forests. If you use EAP-TLS or PEAP-TLS with certificates as your authentication method, you must use a RADIUS proxy for authentication across forests that consist of Windows Server 2008 and Windows Server 2003 domains"
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197447(v=ws.10)?redirectedfrom=MSDN

This thread mention someone you make it work by adding the allow to authenticate right on the NPS :
https://social.technet.microsoft.com/Forums/windowsserver/en-US/039ec884-3ad6-45c7-90cb-f2bbe84a6113/nps-authentication-crossforest-domains?forum=winserverNAP

Normally you should have more information in the NPS log

Regards,

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I reviewed the event log again today and below is the error message:

"A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider."

I've ensure the root certificate of XYZ.com was installed under Intermediate Trusted Root Authorities, Trusted Root Authorities, and Enterprise Trust folder of Microsoft NPS server. Meanwhile, I've also executed the following command and restarted the Microsoft NPS services but issue still persists.

certutil -enterprise -addstore NTAuth CA_CertFilename.cer

0 Votes 0 ·

Ok so you should use a proxy because it is certificate based

0 Votes 0 ·