02-25-2008 10:36 PM
I have testing on my lab UAC deployment, can we disable the validate server cert on OAC user profile??? Because if validate is "chacked" OAC cannot authenticate to IC.
I can not to disable it, but only can change from EAP-TTLS to EAP-PEAP.
02-26-2008 04:06 AM
02-26-2008 09:04 AM
You are probably missing a Trusted Server entry, or you have not added the cert to your users "Trusted Root Certificate Authority" store. That would explain why the validate server certificate is causing your client to fail.
If you are trying to change the OAC configuration that gets pushed from the IC then no, that is not possible.
What you could do, other than making sure to add the self signed certificate to your "trusted Root certificate authority store" would be do generate a CSR and sign it with some external authority that already exists on your workstation. Alternatively, you could sign the CSR with some local CA server, and then upload the root cert into the IC's Trusted Server CA's.
Then when OAC gets pushed to the endpoint, you should also see a certificate pushed from the IC and added to the users "trusted root certificate authority store" as well as a trusted servers entry added in OAC.
If you are trying to disable "validate server certificate" at GINA time (the Windows Logon Screen using the OAC GINA module) you can not. You must validate the server certificate at GINA time, this is a security feature of OAC. You can only disable "validate server certifcate" at the desktop or machine authentication.