Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Jun 02, 2021

Certificate based authentication to WPA2-Enterprise network

I've recently reimaged a v1 surface hub with the 20H2 image and this time configured it as AAD Joined rather than domain joined.  With it no longer domain joined, I am having trouble getting it to connect to our wireless network.  I have a WiFi configuration profile assigned to the hub from Intune along with a PKCS certificate profile.  The PKCS certificate profile assigns a computer certificate to the device, and the WiFi profile is set to use the certificate from that PKCS profile to authenticate to the network.  

When I try to connect to the wireless network from the surface hub, I get the message "Can't connect because you need a certificate to sign in".  Event logs on the hub show authentication failing with an Explicit EAP Failure, and EAP Root Cause string "The user certificate required for the network can't be found on the computer."
I am expecting the hub to authenticate using the computer certificate, not a user certificate.  I have confirmed on the CA that a computer certificate was issued for this hub after I assigned the profile.  
Has anyone else run into this?  Any suggestions as to what I'm doing wrong? 

5 Replies

  • HubBugFinder's avatar
    HubBugFinder
    Copper Contributor
    Aug 25, 2022

    Steve Whitcher - If anyone is having this issue I found a solution. It needs to be a User certificate or the WiFi profile can't find it. And also, if you join to azure ad while going through OOBE then Intune won't let you deploy a User cert to it. A way around this is to remove the device management account and re-add it, then the user cert should deploy.

    • gladiator201020's avatar
      gladiator201020
      Copper Contributor
      Nov 23, 2022

      HubBugFinder 

      Could you please advise how to make it a user certificate, I installed it as (current user) not (Local machine). But I still have same message "can't connect because you need a certificate to sign in".

       

      Could you please send me the procedure step by step

  • cezarcretu's avatar
    cezarcretu
    Icon for Microsoft rankMicrosoft
    Jun 02, 2021

    Hello Steve Whitcher,

     

    Did you also import the Root certificate? The full chain is required to trust the certificate since the hub doesn't have access to the Certificate Authority

     

    Thank you,

    Cezar  

    • Steve Whitcher's avatar
      Steve Whitcher
      Bronze Contributor
      Jun 02, 2021
      Yes, I have a trusted certificate profile that adds our CA certificate to the computer's trusted root store. I just double checked, and that profile has applied to the surface hub as well, and is also the one specified in the wifi profile as the root certificate for server validation.
      • cezarcretu's avatar
        cezarcretu
        Icon for Microsoft rankMicrosoft
        Jun 03, 2021
        Please open a support case as this requires log analysis

        Thank you,
        Cezar

Resources