none
NPS authentication failes after applying realm stripping rules

    Question

  • Hi.

    I got a pretty annoying problem which keeping me now awake for several days.

    I need to implement a 802.1x network authentication for our wired infrastructure using one 2008 R2 server which is our NPS as well as our DC.

    Clients are using Windows 7.

    For a historical reason (pre windows 2000 domain name) the connection request user name radius attribute contains a wrong domain name (domain1.xyz) and the server throws some 4400 events (domain controller not available). Following up some posts I am stripping away the wrong domain name enforcing the NPS to use the DefaultDomain which I added to the registry in prior.

    Hooray the NPS suddenly established the LDAP connections with the correct domain (DefaultDomain, domain1.abc) but now the authentication fails (Reason Code 16, Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect)

    The credentials are ok, verified in several other scenarios.

    Seems my stripping somehow modifies the authentication to the AD.

    Does someone got an idea how to further debug this situation?

    Thanks

    With best regards

    Bax

    The related event:

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            domain1.xyz\user
        Account Name:            user
        Account Domain:            domain1.abc
        Fully Qualified Account Name:    domain1.abc

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        MAC
        Calling Station Identifier:        MAC

    NAS:
        NAS IPv4 Address:        IP
        NAS IPv6 Address:        -
        NAS Identifier:             Name
        NAS Port-Type:            Ethernet
        NAS Port:            46

    RADIUS Client:
        Client Friendly Name:        Name
        Client IP Address:            IP

    Authentication Details:
        Connection Request Policy Name:    xyz Secure Wired (Ethernet) Connections
        Network Policy Name:        xyz Secure Wired (Ethernet) Connections
        Authentication Provider:        Windows
        Authentication Server:        DC.domain1.abc
        Authentication Type:        PEAP
        EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.






    • Edited by Baxter21 Thursday, September 15, 2011 9:01 AM
    Thursday, September 15, 2011 8:38 AM

All replies

  • Hi Baxter21,

    Thank you for your post.

    Fully Qualified Account Name:    domain1.abc
     
    Based on your description, you want to domain1.xyz\user authenticate by DC.domain1.abc, but the log FQAN just show domain1.abc without user account. Please perform two steps to resolve your issue:
    1. Set up realm name rule in NPS server instead of use the Default Domain registry:
    Edit your NPS connection request policies--settings--Specify a Realm Name--Attribute select User-Name--Click add--input find domain1.xyz replace to domain1.abc--Click ok
    2. Ensure the user account in domain1.abc set same password as it in domain1.xyz

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Friday, September 16, 2011 9:03 AM
  • Hi Baxter21,

    Can you please give more details to understand the issue, below.

          For a historical reason (pre windows 2000 domain name) the connection request user name radius attribute contains a wrong domain name (domain1.xyz

    Please share,Traces (%windir%\tracing), on both client and server.

         netsh ras set tracing * dis

                                 Delete logs under %windir%\tracing

                                 netsh ras set tracing * en

                                 REPRO THE FAILURE CASE

                                 Save logs under %windir%\tracing


    Sanjai G [MSFT] This is just a suggestion. Microsoft doesn't own any liability & responsibility for any of my posting.!
    Tuesday, September 20, 2011 6:35 AM
  • Hi Baxter21,

    Thank you for your post.

    Fully Qualified Account Name:    domain1.abc
     
    Based on your description, you want to domain1.xyz\user authenticate by DC.domain1.abc, but the log FQAN just show domain1.abc without user account. Please perform two steps to resolve your issue:
    1. Set up realm name rule in NPS server instead of use the Default Domain registry:
    Edit your NPS connection request policies--settings--Specify a Realm Name--Attribute select User-Name--Click add--input find domain1.xyz replace to domain1.abc--Click ok
    2. Ensure the user account in domain1.abc set same password as it in domain1.xyz

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan


    Hi. Thank you for your reply.

    I already tried this without any success. It does not matter if I replace the domain1.xyz with the domain1.abc, the NPS always tries to establish the LDAP connection with the domain1.xyz and fails to find the DC.

    The only sucessful LADP connection is established if I stripe away the realm and the NPS takes it from the default registry entry.

    Thanks for helping

    With best regards

    BAx


    • Edited by Baxter21 Thursday, September 22, 2011 10:09 AM
    Thursday, September 22, 2011 10:08 AM
  • Hi Baxter21,

    Can you please give more details to understand the issue, below.

          For a historical reason (pre windows 2000 domain name) the connection request user name radius attribute contains a wrong domain name (domain1.xyz

    Please share,Traces (%windir%\tracing), on both client and server.

         netsh ras set tracing * dis

                                 Delete logs under %windir%\tracing

                                 netsh ras set tracing * en

                                 REPRO THE FAILURE CASE

                                 Save logs under %windir%\tracing


    Sanjai G [MSFT] This is just a suggestion. Microsoft doesn't own any liability & responsibility for any of my posting.!


    Hi.

     

    I think the underlying problem is a pre windows 2000 NETBIOS name with a period in it (dotted netbios name). Due to a lot of migration I am fighting now within a 2K8 R2 forest/domain still with this problem.

    With best regards

    Bax

    Thursday, September 22, 2011 10:52 AM