hostname variable for FQDN

k3vmo
Contributor II

My current site utilizes a Network Policy Server (NPS) for authentication to the tightly controlled Wi-Fi.

The WiFi is EAP and uses machine authentication through NPS

I have that part working properly. I was able to create a profile that polls the AD server and retrieves the machine certificate from Active Directory

All systems are bound to the domain in this environment

However, I have to use two profiles and can't seem to find a pattern as to why.

One profile simply has %Host% in the payload and on in the NPS log - it authenticates as host.domain.com - - however - - I have some systems that fail to authenticate - they come back in the NPS log with a+ Null Sid error (object not found)+ -- that object only shows as host <-- without the domain appended to it.

The Windows admin team indicates that it will only authentication via the FQDN.

It seems odd that some resolve on NPS with the FQDN but other local hostname localhostname.

Is there a variable instead of %Host% I can use to send the FQDN (Fully qualified domain name) to NPS?

Is %AD_DomanNameDns% still valid? If so - would that pass the FQDN?

4 REPLIES 4

PatrickD
Contributor II

Hmm interesting. When you say "One profile simply has %Host% in the payload" is that the Config Profile in Jamf or the NPS profile? Assuming NPS.

merps
Contributor III

This may or may not be helpful, but we're using SCEP proxy to request our certificates with a Jamf config profile.

in the SCEP payload:
Certificate Subject: CN=$COMPUTERNAME.domain.com
Subject Alternate Name Type: RFC 822 Name
Subject Alternate Name Value: host/$COMPUTERNAME.domain.com
NT Principal Name: <leave this blank>

I found the host/$COMPUTERNAME format by looking at the certificate on one of our Windows laptops.

Then in the Network Payload, at the bottom, identity certificate is the SCEP Proxy cert from the dropdown.

k3vmo
Contributor II

I apologize I should have been more detailed. We have a macOS Profile

The profile has the information about the Active Directory Certificate Server and the certificate template
The profile also has the Network payload with the SSID, Security Type - and - with EAP-TLS the username field becomes available. I entered %Host% there.

Although not 'required' - it passes the hostname through as the username.

NPS checks to see if the system can provide a certificate [which it already got from active directory using this profile]
It then looks for the fully qualified domain name

Despite the fact that all system are running 10.13.6 and are all bound to active directory and are in the same group

Some systems - authenticate correctly in NPS by presenting the entire fully qualified domain name.

It 'seems' as if in some cases that %host% passes the FQDN and in some cases it only passes the netbios name

That's why I'm wondering if I need to have the system pass the FQDN differently

PatrickD
Contributor II

Ahh I see, In that case, I would go with what @merps has said. Instead of using %host%, use $COMPUTERNAME.domain.com .

That should make it appear as the FQDN for all those machines.

Let us know how you go.