Setting up the NPS server to authenticate by certificate has a bit of mistery around it. It's easy (GUI) to set the certificate the NPS(Radius) server uses to identify itself for the clients. However the other direction, witch client certificates will the Server allow to be used, it's not set in the NPS Server itself.

This is set in the “Configuration” container in AD. (ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=xxx) (This is copied to the NPS Server using GroupPolicy (automatic, even without any “rules”). to the NPS server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates) Notice that the certicate of the Issuing CA responsible for the client certificates needs to be places here, it will NOT work simply to put in in the local store of the NPS server) Ofcource the Root certificate needs to be thursted aswell.

You can publish it like this:

certutil -dspublish -f IssuingCA.cer NTAuthCA

If this is missing (but you have the root CA) a typical error is:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 

If you want to check witch certificates is present here, you can do it like this:

certutil -viewstore -enterprise NTAuth