Workgroup Computer Fails NAP Authentication

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This problem can occur if a workgroup computer does not trust the server providing network authentication.

Description of system behavior

When a workgroup computer attempts to authenticate to a Network Access Protection (NAP) enforcement point such as a Health Registration Authority (HRA) server, it might not trust the server certificate. This results in an incomplete network authentication and Network Policy Server (NPS) denies access to the user.

Associated operating system events

• NPS event ID 6273: The Network Policy Server denied access to a user.

Root cause diagnosis and resolution

This is a trust issue. To resolve the problem, export the root CA certificate and then import it on the workgroup computer.

The root CA is not trusted

To enable a workgroup computer to trust the root CA, export the root CA certificate from a domain member computer and then import this certificate on the workgroup computer.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Resolution

Use the following procedures to export a root CA certificate from a domain member computer and import this certificate on a workgroup computer.

To export the root CA certificate on a domain member client

1. On a domain member client computer, click Start, click Run, type mmc, and then press ENTER.

2. On the File menu, click Add/Remove Snap-in.

3. Click Certificates, click Add, select Computer account, and then click Next.

4. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.

5. In the console tree, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.

6. In the details pane, right-click the name of your root CA certificate, point to All Tasks, and then click Export.

7. On the Welcome to the Certificate Export Wizard page, click Next.

8. On the Export File Format page, click Next.

9. On the File to Export page, click Browse, and then browse to a location on your network or on removable media where you can save the certificate so that it will be accessible to the workgroup computer.

10. After you have selected a location, type a name for the file in File name, and then click Save.

11. Verify the file name and location is displayed under File name, click Next, and then click Finish.

12. Verify that The export was successful is displayed, and then click OK.

To import the root CA certificate on a workgroup computer

1. On the workgroup computer, click Start, click Run, type mmc, and then press ENTER.

2. On the File menu, click Add/Remove Snap-in.

3. Click Certificates, click Add, select Computer account, and then click Next.

4. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.

5. In the console tree, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.

6. Right click Certificates, point to All Tasks, and then click Import.

7. On the Welcome to the Certificate Import Wizard page, click Next.

8. On the File to Import page, click Browse.

9. Browse to the location where you saved the root CA certificate from the domain member computer, and click Open.

10. On the File to Import page, verify the location of the root CA certificate file is displayed under File name, and then click Next.

11. On the Certificate Store page, select Place all certificates in the following store, verify that Trusted Root Certification Authorities is displayed under Certificate store, and then click Next.

12. On the Completing the Certificate Import Wizard page, click Finish.

13. Verify that The import was successful is displayed, and then click OK.