Windows Security Alert appears when connecting to a wireless network on a workgroup machine

Symptoms

While connecting to a wireless network on a Windows system that is part of a workgroup, a Windows Security Alert dialog similar to the following may be displayed:

The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, but “<CA name>” is not configured as a valid trust anchor for this profile. Further, the server “<Authentication server>” is not configured as a valid NPS server to connect to this profile.

or

The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, but “<CA name>” is not configured as a valid trust anchor for this profile.

If you click the Connect button on the dialog box, the wireless connection will be established successfully. 

Cause

To validate the server certificate, Windows will check if the second element in the chain, the Certification Authority (CA) that issued the end certificate, is a trusted CA for Windows NT Authentication. A CA is considered to be trusted if it exists in the "NTAuth" system registry store found in the CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location. If this verification fails, either of the warning messages in the Symptoms section could occur. By default, the CA certificate is not in the NTAuth store on a Windows system that is part of a workgroup.

Resolution

To workaround the issue, you can export the certificate of the CA that issued the certificate to the authentication server to a file. Copy the file to the workgroup machine and then run the following command from an elevated Command Prompt:

certutil -enterprise -addstore NTAuth CA_CertFilename.cer

More Information

About How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store, please refer to http://support.microsoft.com/kb/295663

Microsoft Internal Support Information

Steps to reproduce.

1. Connect to a new Wireless network that does not have an existing wireless profile. (if profile exists then delete the profile first)

2. Enter user certificate or username/password for PEAP-MSCHAPv2 authentication

3. Problem "Windows Security Alert" page is presented.

4. Either click "Connect" to continue or "Terminate" to cancel wireless authentication and profile creation

 
Product Bug Number:

http://bugcheck/bugs/WindowsSE/361097

Author ID (email alias): nazheng
Writer ID(email alias): mplatts
Tech Review ID (email alias): ptsmezcs
Confirm Article has been Tech Reviewed: Yes
Confirm Article released for Publishing: Yes
속성

문서 ID: 2518158 - 마지막 검토: 2011. 5. 20. - 수정: 1

피드백