Control which certificate an NPS network policy selects when the certificate is auto-renewed

I have multiple NPS network policies using Microsoft PEAP with a self-signed certificate. When our internal CA automatically renews the certificate, all of the network policies switch to another (it appears, random) certificate installed on the NPS server. When this happens wireless clients cannot authenticate, wreaking havoc in our infrastructure.

The certificate template upon which the self-signed certificate is based automatically renews the certificate 6 weeks prior to expiration. To mitigate this issue I've set a reminder for myself to edit the NPS policies and select the renewed certificate. But I'm an IT firefighter, and sometimes fires keep me from routine tasks, even important ones.

Is there a way to tell NPS to use the renewed certificate instead of picking some certificate at random?


Solution 1:

It's not possible to control which certificate NPS will select when the certificate configured for use by a Network Policy is automatically renewed. Therefore, the best course of action is to do the following:

  1. Manually renew the self-signed certificate before the certificate is automatically renewed, then
  2. Immediately edit all affected NPS Network Policies to use the renewed certificate.

Solution 2:

This problem has bugged me for years. I think I finally found a solution involving modifying the text of the ias.xml config file. I wrote a PS function that replaces the cert thumbprint in the xml file with the nps certificate's thumbprint. We run this function on the master server if the config file date in System32\ias is older than the cert's notbefore date. We also run the routine on every slave server to which we sync the master's config before importing the config. We use PEAP MSCHAPv2 so please verify the thumbprint is in the same location in your config file. The xml element with the config is called msEAPConfiguration. All of our PEAP configs had a length of 1728. The certificate thumbprint starts at index 72 and is 40 characters long. There were some with a shorter config but I haven't investigated them yet.

function replace-certThumbprint {
    param (
        $srcNPSConfigPath, $newThumbprint
    )
    # read xml file for iteration
    [xml]$npsXmlFile = Get-Content -path $srcNPSConfigPath

    # read raw xml file for overwrite
    $rawXML = Get-Content -Path $srcNPSConfigPath -Raw

    # get eap config part of xml file
    $eapNodes = $npsXmlFile.getelementsbytagname("msEAPConfiguration")

    # find certificate thumbprint in nodes
    foreach ($node in $eapNodes) {
        # confirm node is 1728 char long
        if ($node.'#text'.Length -eq 1728) {
            # save original node text
            $origNode = $node.'#text'
            # get thumbprint from node
            $thumbprint = $node.'#text'.substring(72, 40)
            # replace thumbprint of old cert with new cert if not present
            if ($origNode.indexof($newThumbprint) -eq -1) {
                # node text does not contain new thumbprint
                # replace node text in raw xml file with new node text
                $rawXML = $rawXML -replace $origNode, ($origNode -replace $thumbprint, $newThumbprint)
            }
        }
        # $node | fl *
    }



    $rawXML | set-content -Path $srcNPSConfigPath -Force

}