You're welcome, Eric, and thanks for sending the logs. A knowledgeable
member of the IAS/NPS team has reviewed the logs and here is his
conclusion:


****Begin quote*****

"The MakeAlert(49, Manual) is not the actual error, but rather the Error:
0x800b0112. This error translates to

# for hex 0x800b0112 / decimal -2146762478
CERT_E_UNTRUSTEDCA winerror.h
# A certification chain processed correctly, but one of the
# CA certificates is not trusted by the policy provider.
# 1 matches found for "0x800b0112"

So from the logs, I can tell the following things:

The client does send his certificate, the IAS server is rejecting it
because it does not trust the issuing CA of the client's cert. Are the
client certificates issued by the same CA that issued the IAS server it's
certificate? Are these certificates issued by a Microsoft CA or are they
from a 3rd party CA?

Beyond this, I would suggest that he open a support case. Without
detailed troubleshooting, it's going to be hard to determine what is wrong
with his configuration. To move forward, we would need copies of the certs
on the IAS and client as well as possibly getting netmon traces.
"
*****End quote****

So the question is whether your IAS server trusts the CA that issued the
client computer certificate.

This can get confusing, so here are the 3 types of certs in use when you
deploy EAP-TLS:

-- CA cert -- this cert must be in the Trusted Root Certification
Authorities (TRCA) certificate store in order for a client computer or
server to trust other certificates that the CA issues. After you deploy an
Enterprise CA, this cert is automatically issued to all domain member
computers. (But not to non-domain member computers.)
-- IAS server cert -- issued by the CA mentioned above to the IAS server
-- Client computer cert -- issued by the CA above to client computers

So the CA that issues both the server cert and the client certs must be the
same, and both the clients and the server must have the CA cert in the TRCA
stores for both the Local Computer and Current User.

If your IAS server is a non-domain member, you must manually install the CA
cert in the TRCA store.

In other words, to trust the issuing CA, all non-domain member computers
must have the cert installed in the TRCA stores for the Local Computer and
Current User;

You can install the cert by opening the Certificates Microsoft Management
Console (MMC) on any domain member computer, browsing to the TRCA store,
and exporting the certificate to floppy, USB flash drive, etc; then on the
non-domain member computer (client or server), you can open the
Certificates MMC (add both Local Computer and Current User stores to the
snap-in) and import the cert to the TRCA store.

Note: Don't try to drag and drop the cert between folders in the
Certificates snap-in or the key is broken and it won't work. You must use
Import and Export to move a certificate.

Hopefully this helps you, but if not I agree with my team member that you
should open a support case with customer support services.

Thanks, and let me know how it goes --

James