Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
NPS fails reason code 266

Answered NPS fails reason code 266

  • Monday, May 21, 2012 3:46 PM
     
     
    Sign In to Vote
    0

    Hi,

    Recently I started getting complaints that internal wireless users couldn't connect to our internal network.  We have the following setup:

    Windows 2008 Server with NPS role installed - fully patched with the most current patches from MS.

    NetGear WNDAP350 Access Point

    The WNDAP350 AP is configured to use Radius and points to Windows 2008 server with NPS installed.

    This has all been working fine for several years but starting about two weeks ago I noticed that users were no longer able to connect using this AP.  I looked at the NPS logs and I see the following event in the event log now:

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   DDD\User
     Account Name:   DDD\User
     Account Domain:   DDD
     Fully Qualified Account Name: DDD\User

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  00-26-F2-F7-FE-A0:wirelessAP
     Calling Station Identifier:  88-53-2E-A0-C4-63

    NAS:
     NAS IPv4 Address:  172.16.0.246
     NAS IPv6 Address:  -
     NAS Identifier:   hello
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   0

    RADIUS Client:
     Client Friendly Name:  mywap
     Client IP Address:   172.16.0.246

    Authentication Details:
     Proxy Policy Name:  Use Windows authentication for all users
     Network Policy Name:  Secure Wireless Connections
     Authentication Provider:  Windows
     Authentication Server:  ADC1.ddd.com
     Authentication Type:  PEAP
     EAP Type:   -
     Account Session Identifier:  -
     Reason Code:   266
     Reason:    The message received was unexpected or badly formatted.

    I haven't made any changes in the configuration other than applying the most recent set of MS patches that were released on the most recent patch Tuesday.  I thought maybe the problem was the AP so I replaced it with a backup and I still have the same problem.  Did the most recent MS patches break something? 

    Thanks in advance,
    Nick

     

All Replies

  • Wednesday, May 23, 2012 5:22 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Nick,

    Thanks for posting here.

    May I know what authentication method we are using now ? and could you show us the KB ID of the recently patched hotfixes ?

    Not sure if it is related but we have a similar issue like yours recently in the link below , please verify and see if that is helpful :

    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/cd2d5bc8-e89b-474e-a66f-007f20d93a8a/

    Thanks.

    Tiger Li

    Tiger Li

    TechNet Community Support

     
  • Wednesday, May 23, 2012 6:36 PM
     
     
    Sign In to Vote
    0

    Hi Tiger,

    Thanks for the response.  It does seem that the problem started to happen after I applied KB931125.  Before applying that update which appears to update Windows root certificates I didn't have any errors in my event log about failed wireless connections.

    The link you provided and the KB that it references, http://support.microsoft.com/kb/933430/ seems to match the problem I am having.  I tried to follow the workaround method #1 one which was to remove some of the trusted root certificates from my NPS server but that didn't resolve the problem.  In my Trusted Root Certification Authories node I currently have 366 certifcates after I removed some.  I have about 10 or 15 that have expired but I wasn't sure if it was ok to remove them.  Do you know what the number of certicates I need to get down to is?  Some of the certificates that are listed as expired are Microsoft ones so I didn't know if it was ok to delete them.  Do I need to restart the server after deleting these certificates? 

    Thanks,

    Nick

     
  • Wednesday, May 23, 2012 6:56 PM
     
     
    Sign In to Vote
    0

    Hi Tiger,

    I just checked my server and I was wrong on the number of certificates in my Trusted Root Certification Authories node.  It is 336 not 366.  Sorry for the wrong initial information.

    Nick

     
  • Thursday, May 24, 2012 6:28 AM
    Moderator
     
     Answered
    Sign In to Vote
    1

    Hi Nick,

    Thanks for update.

    Actually method 3 is the one we recommend in your scenario.  

    And I’m still not sure what authentication method we are using now ? and whether we are using self-issued or third party certificate ?

    Windows Root Certificate Program - Members List (All CAs)

    http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx

    Thanks.

    Tiger Li

    Tiger Li

    TechNet Community Support

     
  • Friday, May 25, 2012 4:28 PM
     
     
    Sign In to Vote
    0

    Hi Tiger,

    Thanks for the update.  I made the change as described in method 3 and my internal wireless users can now connect successfully.  To answer your other questions, we are using a self issued certificate, the NPS server is also our domains Certificate CA.  In terms of the authenication, here is what a successfull connection event shows in the log:

    Authentication Details:
     Proxy Policy Name:  Secure Wireless Connections
     Network Policy Name:  Secure Wireless Connections
     Authentication Provider:  Windows
     Authentication Server:  npsserver.mydomain.com
     Authentication Type:  PEAP
     EAP Type:   Microsoft: Secured password (EAP-MSCHAP v2)
     Account Session Identifier:  

    Thanks for all your help.

    Nick

     
  • Friday, December 14, 2012 10:20 AM
     
     
    Sign In to Vote
    0

    hi Tiger,

    we have same issue with our AP. we cannot login using the PEAP authentication.

    can you pl. explain which Method 3 you are talking about on above replies.

    thanks in advance.

    Regards,

    Sidharth M.

     
  • Friday, December 14, 2012 3:09 PM
     
     Proposed Answer
    Sign In to Vote
    0

    Fyi- I used this thread also- http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/cd2d5bc8-e89b-474e-a66f-007f20d93a8a/

    The cleanup of the trusted root certs on the NPS server worked for me as well.  Used KBs   933430  AND  293781.  I deleted any certs not in any list on my NPS server; I also kept the Public CAs of those we use...  The error stopped happening for my users then.

    Environment:

    NPS and ADCS on Server 2008 R2

    NPS policy is configured to use MS-Chapv2 with windows authentication

    I was seeing the following error on some users in the Network Policy and Access Services log-

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID:  xx\yyy
    Account Name:  xx\yyy
    Account Domain: xx
    Fully Qualified Account Name: xx\yyy

    Client Machine:
    Security ID:  NULL SID
    Account Name:  -
    Fully Qualified Account Name: -
    OS-Version:  -
    Called Station Identifier: xx-xx-xx-xx-xx-xx:XX_WIFI
    Calling Station Identifier: xx-xx-xx-xx-xx-xx

    NAS:
    NAS IPv4 Address: x.x.x.x
    NAS IPv6 Address: -
    NAS Identifier: yyy
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port:  9196

    RADIUS Client:
    Client Friendly Name: xx
    Client IP Address: x.x.x.x

    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: xx.yy.local
    Authentication Type: PEAP
    EAP Type:  -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code:  266
    Reason:  The message received was unexpected or badly formatted.


    • Proposed As Answer by KarlHenselin Sunday, February 03, 2013 7:16 PM
    •  
     
  • Sunday, February 03, 2013 7:20 PM
     
     
    Sign In to Vote
    0

    Thanks so much.

    I tried those things to.

    I deleted the expired certs and then did the registry editing in the section titled

    Method 3: Configure Schannel to no longer send the list of trusted root certificate authorities during the TLS/SSL handshake process

    To set this registry entry, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
    5. Right-click SendTrustedIssuerList, and then click Modify.
    6. In the Value data box, type 0 if that value is not already displayed, and then click OK.
    7. Exit Registry Editor.

    on the page 

    http://support.microsoft.com/kb/933430

    to fix my Server 2008 R2 Radius server which had about 360 trusted root certs when I started, and still had 320 after deleting the expired ones.

    I decided to to randomly delete more certs since it worked.

    This is the first time I have gotten Vista to login to my radius server properly. I assume that my Win7 clients will also work now. Phones, ipads, and other non-windows devices always worked with no problem. I thank you so much for posting in this thread, as I had never seen the connection before to trusted root certs and radius failing. Clearly that isn't just a server 2003 issue.