1

We have a Windows 2012 server accepting VPN connections over SSTP and authenticating them using the Network Policy Server feature on the same server. For client authentication we've set it up to require certificates, which is working well. Too well, actually. The problem is that it accepts any client certificate if the server trusts the root ca in the chain. This means it not only accepts the smart card certificates (issued by a CA that we've manually added to the trust store), but also "soft" certificates issued by our internal CA and stored on the client computers.

This behavior is undesirable, as we want to require everyone to use an actual smart card when connecting to the VPN server. Is there any way to force this? Make the NPS server only trust a specific CA? Or check some specific attribute on the certificate?

Kim Johnsson
  • 13
  • 3

1 Answers1

0

You can controll what CA should be trusted by NPS by configuring its Trusted Root Certificate Authority. Simply Remove all "soft" CA from the store.

I am not aware of any other options.

CMy
  • 99
  • 7
  • Marking this as the answer cause I too have reached the same conclusion. We have since moved on to other solutions, partly due to this issue. – Kim Johnsson Apr 15 '15 at 13:46