验证服务器证书的服务器注册Verify Server Enrollment of a Server Certificate

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

你可以使用此过程来验证网络策略服务器 (NPS) 服务器已从证书颁发机构 (CA) 注册了服务器证书。You can use this procedure to verify that your Network Policy Server (NPS) servers have enrolled a server certificate from the certification authority (CA).

备注

Domain Admins组中的成员身份是完成这些过程所需的最低要求。Membership in the Domain Admins group is the minimum required to complete these procedures.

验证服务器证书的网络策略服务器 (NPS) 注册Verify Network Policy Server (NPS) enrollment of a server certificate

由于 NPS 用于对网络连接请求进行身份验证和授权,因此,在网络策略中使用时,务必确保颁发给 NPSs 的服务器证书有效。Because NPS is used to authenticate and authorize network connection requests, it is important to ensure that the server certificate you have issued to NPSs is valid when used in network policies.

若要验证是否正确配置了服务器证书并将其注册到 NPS,你必须配置测试网络策略,并允许 NPS 验证 NPS 是否可以使用该证书进行身份验证。To verify that a server certificate is correctly configured and is enrolled to the NPS, you must configure a test network policy and allow NPS to verify that NPS can use the certificate for authentication.

验证服务器证书的 NPS 注册To verify NPS enrollment of a server certificate

  1. 在“服务器管理器”中,单击“工具”****,然后单击“网络策略服务器”****。In Server Manager, click Tools, and then click Network Policy Server. 此时将打开网络策略服务器 Microsoft 管理控制台 (MMC) 。The Network Policy Server Microsoft Management Console (MMC) opens.

  2. 双击 "策略",右键单击 "网络策略",然后单击 "新建"。Double-click Policies, right-click Network Policies, and click New. 将打开新建网络策略向导。The New Network Policy wizard opens.

  3. 在 "指定网络策略名称和连接类型" 的 "策略名称" 中,键入 "测试策略"。In Specify Network Policy Name and Connection Type, in Policy name, type Test policy. 确保类型的网络访问服务器****未指定值,然后单击 "下一步"。Ensure that Type of network access server has the value Unspecified, and then click Next.

  4. 在 "指定条件" 中,单击 "添加"。In Specify Conditions, click Add. 在 "选择条件" 中,单击 " Windows 组",然后单击 "添加"。In Select condition, click Windows Groups, and then click Add.

  5. 在 "" 中,单击 "添加组"。In Groups, click Add Groups. 在 "选择组" 中键入 "域用户",然后按 enter。In Select Group, type Domain Users, and then press ENTER. 单击 “确定”,然后单击 “下一步”Click OK, and then click Next.

  6. 在 "指定访问权限" 中,确保选择了 "授予访问权限",然后单击 "下一步"。In Specify Access Permission, ensure that Access granted is selected, and then click Next.

  7. 在 "配置身份验证方法" 中,单击 "添加"。In Configure Authentication Methods, click Add. 在 "添加 EAP" 中,单击 " **Microsoft:受保护的 EAP (PEAP) **,然后单击 " 确定 "In Add EAP, click Microsoft: Protected EAP (PEAP), and then click OK. 在 " EAP 类型" 中,选择 " **Microsoft:受保护的 EAP (PEAP) **,然后单击"编辑"。In EAP Types, select Microsoft: Protected EAP (PEAP), and then click Edit. 此时将打开 "编辑受保护的 EAP 属性" 对话框。The Edit Protected EAP Properties dialog box opens.

  8. 在 "编辑受保护的 EAP 属性" 对话框中,在 "证书颁发给" 中,NPS 以ComputerName格式显示服务器证书的名称。In the Edit Protected EAP Properties dialog box, in Certificate issued to, NPS displays the name of your server certificate in the format ComputerName.Domain. 例如,如果你的 NPS 命名为 NPS-01,而你的域为 example.com,则 NPS 将显示证书NPS-01.example.comFor example, if your NPS is named NPS-01 and your domain is example.com, NPS displays the certificate NPS-01.example.com. 此外,在颁发者中,会显示证书颁发机构的名称,并在过期日期中显示服务器证书的过期日期。In addition, in Issuer, the name of your certification authority is displayed, and in Expiration date, the date of expiration of the server certificate is shown. 这说明 NPS 注册了有效的服务器证书,该证书可用于向尝试通过网络访问服务器访问网络的客户端计算机证明其身份,例如虚拟专用网络 (VPN) 服务器、支持 802.1 X 的无线访问点、远程桌面网关服务器和支持 802.1 X 的以太网交换机。This demonstrates that your NPS has enrolled a valid server certificate that it can use to prove its identity to client computers that are trying to access the network through your network access servers, such as virtual private network (VPN) servers, 802.1X-capable wireless access points, Remote Desktop Gateway servers, and 802.1X-capable Ethernet switches.

    重要

    如果 NPS 未显示有效的服务器证书,并且它提供在本地计算机上找不到此类证书的消息,则有两个可能的原因会导致此问题。If NPS does not display a valid server certificate and if it provides the message that such a certificate cannot be found on the local computer, there are two possible reasons for this problem. 组策略没有正确刷新,且 NPS 尚未从 CA 注册证书。It is possible that Group Policy did not refresh properly, and the NPS has not enrolled a certificate from the CA. 在这种情况下,请重新启动 NPS。In this circumstance, restart the NPS. 计算机重新启动时,将刷新组策略,你可以再次执行此过程以验证是否已注册服务器证书。When the computer restarts, Group Policy is refreshed, and you can perform this procedure again to verify that the server certificate is enrolled. 如果刷新组策略不能解决此问题,则说明证书模板、证书自动注册或两者均未正确配置。If refreshing Group Policy does not resolve this issue, either the certificate template, certificate autoenrollment, or both are not configured correctly. 若要解决这些问题,请从本指南的开头开始,并再次执行所有步骤,以确保你提供的设置准确无误。To resolve these issues, start at the beginning of this guide and perform all steps again to ensure that the settings that you have provided are accurate.

  9. 验证了有效服务器证书是否存在后,可以单击 "确定" ,然后单击 "取消" 以退出新建网络策略向导。When you have verified the presence of a valid server certificate, you can click OK and Cancel to exit the New Network Policy wizard.

    备注

    由于未完成向导,因此不会在 NPS 中创建测试网络策略。Because you are not completing the wizard, the test network policy is not created in NPS.