🟠 High   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2019

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

VPN and 802.1X clients fail RADIUS authentication, causing broad remote and network access interruptions.

Environment & Reproduction

NPS on Windows Server 2019 after replacing server authentication certificate.

Get-ChildItem Cert:LocalMachineMy | Where-Object EnhancedKeyUsageList -match 'Server Authentication'

Root Cause Analysis

NPS is still bound to old or invalid certificate, or client trust chain is incomplete.

Quick Triage

Check NPS event log and certificate validity period.

Get-WinEvent -LogName 'System' -MaxEvents 50 | Where-Object ProviderName -in 'IAS','Schannel'

Step-by-Step Diagnosis

Validate certificate thumbprint, EKU, and private key availability for NPS service account context.

certutil -store my
netsh nps show config
Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
NPS certificate mapping checks β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Bind NPS to the renewed certificate and restart NPS service.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

net stop ias
# Re-select certificate in NPS console for PEAP/EAP profiles
net start ias
Illustrative mockup for windows-server-2019 β€” event_or_log_viewer
NPS and Schannel event analysis β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Deploy a new certificate template with explicit NPS usage and autoenrollment policy.

gpupdate /force
certutil -pulse

Verification & Acceptance Criteria

Authentication succeeds for test users and NPS logs show Access-Accept outcomes.

Get-WinEvent -LogName Security -MaxEvents 50 | Where-Object Message -match 'Network Policy Server granted access'

Rollback Plan

Rebind prior certificate if new cert chain is not trusted by clients.

certutil -store my

Prevention & Hardening

Track certificate expiry and test renewed certs in staging before production cutover.

Get-ChildItem Cert:LocalMachineMy | Select Subject,NotAfter,Thumbprint

Related to Schannel trust failures and revoked intermediate CA certificates.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: NPS certificate requirements and PEAP troubleshooting.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.