The disappearing IAS certificate mystery

When PEAP is being set up on an IAS server, IAS asks for a certificate that it can use for setting up that connection.  On a DC that has a DomainController certificate present in its certificate store, it already has a certificate that fulfills the criteria sent to the certificate picker, as a result the default certificate selected during the installation will be the first one returned….usually the DomainController certificate.

Unless the Admin manually picks another certificate during the setup this becomes the certificate chosen for that connection.

Months or years pass and a Windows 2003 Enterprise (or later) CA server is installed in the same domain, at this point the DC will upgrade (supersede) the v1 DomainController certificate with a v2 DomainControllerAuthentication certificate (or a Kerberos Authentication certificate for W2k8+).

To the admin, it may appear as if the IAS certificate (the DomainController certificate chosen during the setup of IAS) magically 'disappeared' without it expiring or anyone deleting it, but it is simply being deleted from the DC's store because the DomainControllerAuthentication certificate has superseded it.
Any RADIUS/IAS authentication using PEAP that uses the deleted certificate will fail as a result.

To avoid this, if you’re going to install IAS on a Domain Controller, the DC should be made to enroll for a separate certificate from the template 'RAS and IAS Servers' before the IAS server is installed and this certificate should then be chosen for any PEAP setup.

Further details:

Server Certificate Requirements

HOW TO: Provide Secure Point-to-Point Communications Across a Private Network or the Internet in Windows Server 2003

Use certificate auto enrollment to simplify your deployment

Installing and Upgrading Certificate Templates

Comments (0)

Skip to main content