locked
Event ID 3, Reason-Code 5, Reason = The user account domain cannot be accessed. RRS feed

  • Question

  • Hello,
    I am trying to setup NAP enforcement with the NAP_802.1X_StepByStep_1.1.doc guide and get this error when try to authenticate: Event ID 3, Reason-Code 5, Reason = The user account domain cannot be accessed.

    DC1 is up and running, but not sure why i am getting this error.
    Does anyone have any suggestions?

    T.I.A.
    Monday, August 13, 2007 7:16 PM

Answers

  • Hi,

     

    That's interesting. It does appear that the client is trying to log in to just the IAS domain instead of IAS.ABC.

     

    I'd like to try a built-in account and see if this has the same problem. Try logging off, click switch user, other user, and log on with User name of ias.abc.com\Administrator, providing the local administrator password. This should still log you into the domain, but with a built-in account.

     

    If this doesn't work, I will have to investigate further. Chris Edson frequently answers questions in this forum and is very good with 802.1X issues. I'll see if I can get him to assist. When I use the Administrator account, here is the debug output from the switch (same as before but with the Administrator acct):


    06:00:01: AAA/MEMORY: create_user (0x80CBAE18) user='CONTOSO\Administrator' ruser='CONTOSO\Administrator' port='FastEthernet0/1' rem_addr='00-06-5B-A6-51-33/00-0D-28-C0-48-41' authen_type=EAP service=802.1x priv=1
    06:00:01: AAA/AUTHEN/START (2985029029): port='FastEthernet0/1' list='Dot1x Acc List' action=LOGIN service=802.1x
    06:00:01: AAA/AUTHEN/START (2985029029): using "default" list
    06:00:01: AAA/AUTHEN/START (2985029029): Method=NPS (radius)
    06:00:01: AAA/AUTHEN (2985029029): status = GETDATA
    06:00:01: AAA/AUTHEN/CONT (2985029029): continue_login (user='CONTOSO\Administrator')

     

    NPS events also show a successful authentication with the Administrator account.

     

    -Greg

    Wednesday, August 15, 2007 2:13 AM

All replies

  • Hi,

     

    Check the list of domain computers on the DC and make sure your client was successfully added to the domain. If you are using Vista Home, this may be the problem. I might be leaving something out, but I think you need Business, Enterprise, or Ultimate to join a domain.

     

    Let me know if this helps.

     

    -Greg

    Monday, August 13, 2007 9:54 PM
  • Hi,

    Well I've checked the above and the client is Vista Business and client1 was able to join domain successfully, and still getting same reason error. Any other suggestions?

    In the Event properties, the Authentication-Server = <nps server> , is this correct? or should Authentication Server be the DC? I am confused becasue the account reside on DC. How does NPS communicate with the DC to verify the account? Any special settings I have to do for the domain user account that is used to logon to client1?

    Thanks.
    Tuesday, August 14, 2007 7:31 PM
  • Hi,

     

    NPS opens an LDAP connection with the DC to authenticate the user. This is NPS event ID 4400 I believe. Please check for this event in the System log on NPS1. The authentication server is NPS, so this looks correct. There isn't anything special about the account used to log on. In the step by step guide I use an account with domain admin rights to enable configuration of the NAP client settings.

     

    Does your setup differ from the test lab in the step by step guide in any way? Please provide:

    • The domain and user account(s) that you are using to log into NPS and the client machine.
    • The OS version you are running on your DC (WS03?) and NPS (WS08 Beta 3?)
    • The switch or AP you are using.
    • Any additional warning or error events on DC1 and NPS1.
    • Output of "netsh nps show config" issued from an elevated command prompt.

    Also please verify connectivity from NPS1 to DC1. You should be able to ping DC1 from NPS1. You can't do it the other way around because the firewall is up by default on the 2008 machine and will block ping. If you are using a Server 2008 machine for the DC, it's possible the firewall may be interfering, but I think this would give a different event message (i.e. timeout).

     

    If you are using local file logging, you may also wish to check the IAS log (by default in the Windows\System32\LogFiles directory). The 7th entry in my database-compatible formatted log displays the domain and user account used to authenticate: "Contoso.com/Users/user 1."

     

    -Greg

     

     

     

     

     

     

    Tuesday, August 14, 2007 9:04 PM
  • Well besides the different IP range, user account names, dc names, and vlan ids, OSs are all the same.
    -DC is WS03 Enterprise with Service Pack 2. NPS is WS08 Beta 3 (32 bit).
    -Switch, using cisco 2950
    -Event ID: only 4400 and 3
    -NPS1 can ping DC okay.
    -7th entry in log file: "IAS\iasuser1"
    -Output of netsh nps show config (from NPS server, below).

    ---content of Event ID 3---
    Access request for user IAS\iasuser1 was discarded.
     Fully-Qualified-User-Name = IAS\iasuser1
     Machine-Name = <not present>
     OS-Version = <not present>
     NAS-IP-Address = 172.30.2.54
     NAS-IPv6-Address = <not present>
     NAS-Identifier = <not present>
     Called-Station-Identifier = <not present>
     Calling-Station-Identifier = <not present>
     Client-Friendly-Name = cisco54
     Client-IP-Address = 172.30.2.54
     Client-IPv6-Address = <not present>
     NAS-Port-Type = Async
     NAS-Port = <not present>
     Connection-Request-Policy-Name = NAP 802.1X (Wired)
     Policy-Name = <undetermined>
     Authentication-Provider = Windows
     Authentication-Server = NPS1.ias.abc.com
     Account-Session-Identifier=<not present>
     Reason-Code = 5
     Reason = The user account domain cannot be accessed.


    ---output of netsh...


    Client configuration:
    ---------------------------------------------------------
    Name                = cisco54
    Address             = 172.30.2.54
    State               = Enabled
    Shared secret       = removed
    Require auth attrib = Yes
    NAP capable         = No
    Vendor              = RADIUS Standard

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Use Windows authentication for all users
    State            = Disabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = NAP 802.1X (Wired)
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^0$|^15$|^19$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"
    EAP-Configuration                       0x1fa2      "190000000000000000000000000000005C020000020000005C0200000300000014000000B08F4F32C63F80C0264DA799F0B0F7DDD24DFC600100000001000000340200001A000000000000000200000004000000030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    NP-Allowed-EAP-Type                     0x100a      "19000000000000000000000000000000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4"
    Override-RAP-Auth                       0x1fb0      "TRUE"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Daily logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to other access servers
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Enabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1033      "^311$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Allowed-EAP-Type                     0x100a      "0D000000000000000000000000000000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Filter                               0x102f     

        ===============================================================
        IPFILTER_IPV4INFILTER    Action: DENY
        ---------------------------------------------------------------
        Address . . . . . : 0.0.0.0
        Mask. . . . . . . : 0.0.0.0
        Protocol. . . . . : 0
        Source Port . . . : 0
        Destination Port. : 0
        ---------------------------------------------------------------

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP 802.1X (Wired) Compliant
    State            = Enabled
    Processing order = 3
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP 802.1X (Wired) Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "14"
    Tunnel-Type                             0x40        "0xd"
    Tunnel-Tag                              0x104a      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP 802.1X (Wired) Noncompliant
    State            = Enabled
    Processing order = 4
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP 802.1X (Wired) Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "13"
    Tunnel-Type                             0x40        "0xd"
    MS-Link-Utilization-Threshold           0xffffffaa  "0x32"
    MS-Link-Drop-Time-Limit                 0xffffffa9  "0x78"
    Tunnel-Tag                              0x104a      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP 802.1X (Wired) Non NAP Capable
    State            = Enabled
    Processing order = 5
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbb      "^1$"
    Condition1                              0x100c      "172.30.2.54"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "13"
    Tunnel-Type                             0x40        "0xd"

    Server registration:
    ---------------------------------------------------------
    Status = Un-registered

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator
     
    Vendor                         = Microsoft Corporation
     
    Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.
     
    Version                        = 1.0
     
    Policy server unreachable      = Noncompliant
    Remediation server unreachable = Noncompliant
    System Health Agent failure    = Noncompliant
    NAP server failure             = Noncompliant
    Other errors                   = Noncompliant

    SHV template configuration:
    ---------------------------------------------------------
    Name          = NAP 802.1X (Wired) Compliant
    Configuration = All must pass
    Id            = 79744

    SHV template configuration:
    ---------------------------------------------------------
    Name          = NAP 802.1X (Wired) Noncompliant
    Configuration = One or more must fail
    Id            = 79744

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     = 
    Description                    = 
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.


    Tuesday, August 14, 2007 10:22 PM
  • Hi,

     

    There are several things configured differently than the step by step guide, but none of them should cause the error you are seeing. Most of the differences are in network policy, but the authentication fails at connection request policy.

     

    One thing I noticed in connection request policy is the condition doesn't seem to be a Client IPv4 address (in your case) of 172.30.2.54. What is the condition you are using? This probably isn't what is causing the problem, but I'm curious what it is. The config shows that it has a value of ^0$^15$^19$.

     

    Your problem appears to revolve around the domain IAS.ABC.COM and the fact that the client reports that it is logging in with a user in just the IAS domain (IAS\iasuser1).

     

    What is the fully qualified domain name of the client machine?

     

    I spoke to one of our engineers, and he suggests verifying settings on the Authentication tab of the Local Area Connection properties.

     

    On the client, right-click the network connection, click the Authentication tab, make sure that Enable IEEE 802.1X authentication is checked, and the chosen network authentication method is PEAP, then click Settings. Validate server certificate should be checked, and under Select Authentication Method, you should have checked Enable Quarantine checks. The Authentication Method should be Secured password (EAP-MSCHAP v2) - click Configure next to this and make sure that Automatically use my Windows logon name and password (and domain if any) is selected.

     

    -Greg

     

    Tuesday, August 14, 2007 11:41 PM
  • For the connection request policy, the condition is: Nas Port Type Async OR Ethernet OR Wireless.

    -FQDN of client machine is npsclient1.ias.abc.com (when connected via an open port, client machine can ping DC by FQDN and vice versa).

    Checked client machine authentication settings already, all are as you mention above; still no go. 
    Any ideas why my client machine report login domain as IAS\iasuser1 and not what you have "<domain.com>/Users/<username>" ("ias.abc.com/Users/iasuser1")?

    Wednesday, August 15, 2007 12:02 AM
  • Hi,

     

    I would double-check that your client is sending the incorrect domain to the switch. On the 2950, issue a "debug aaa authentication" command, then unplug and plug the client into a dot1X port. You should see something like:

     

    04:14:33: AAA/MEMORY: create_user (0x80D09554) user='CONTOSO\user1' ruser='CONTOSO\user1' port='FastEthernet0/1' rem_addr='00-06-5B-A6-51-33/00-0D-28-C0-48-41' authen_type=EAP service=802.1x priv=1
    04:14:33: AAA/AUTHEN/START (367017375): port='FastEthernet0/1' list='Dot1x Acc List' action=LOGIN service=802.1x
    04:14:33: AAA/AUTHEN/START (367017375): using "default" list
    04:14:33: AAA/AUTHEN/START (367017375): Method=NPS (radius)
    04:14:33: AAA/AUTHEN (367017375): status = GETDATA
    04:14:33: AAA/AUTHEN/CONT (367017375): continue_login (user='CONTOSO\user1')

     

    Type "no debug AAA authentication" to turn debug back off. This should confirm whether or not it is a client problem.

     

    If it appears the client isn't sending the right domain to the switch, then I would verify the System properties. Check that Computer name is npsclient1 and Full computer name is npsclient1.ias.abc.com, and the Domain is ias.abc.com. Pinging by FQDN means that DNS is set up correctly, but the client could still have a configuration problem.

     

    -Greg

    Wednesday, August 15, 2007 12:37 AM
  • I've checked the client machine System Properties, Computer Name tab and yes, Full Computer name is npsclient1.ias.abc.com and domain is ias.abc.com. I really appreciate all the quick responses, thanks Greg.

    below is switch's debug info:

    6d23h: %LINK-3-UPDOWN: Interface FastEthernet0/18, changed state to up
    6d23h: AAA: parse name=FastEthernet0/18 idb type=-1 tty=-1
    6d23h: AAA: name=FastEthernet0/18 flags=0x15 type=7 shelf=0 slot=0 adapter=0 por
    t=18 channel=0
    6d23h: AAA: parse name=<no string> idb type=-1 tty=-1
    6d23h: AAA/MEMORY: create_user (0x80D66B78) user='IAS\iasuser1' ruser='IAS\iasus
    er1' port='FastEthernet0/18' rem_addr='' authen_type=EAP service=802.1x priv=1
    6d23h: AAA/AUTHEN/START (1542044121): port='FastEthernet0/18' list='Dot1x Acc Li
    st' action=LOGIN service=802.1x
    6d23h: AAA/AUTHEN/START (1542044121): using "default" list
    6d23h: AAA/AUTHEN/START (1542044121): Method=radius (radius)
    6d23h: AAA/AUTHEN (1542044121): status = GETDATA
    6d23h: AAA/AUTHEN/CONT (1542044121): continue_login (user='IAS\iasuser1')
    6d23h: AAA/AUTHEN (1542044121): status = GETDATA
    6d23h: AAA/AUTHEN (1542044121): Method=radius (radius)
    6d23h: AAA/AUTHEN (1542044121): status = GETDATA
    6d23h: AAA/AUTHEN/CONT (1542044121): continue_login (user='IAS\iasuser1')
    6d23h: AAA/AUTHEN (1542044121): status = GETDATA
    6d23h: AAA/AUTHEN (1542044121): Method=radius (radius)
    6d23h: AAA/AUTHEN (1542044121): status = GETDATA
    6d23h: AAA/AUTHEN/CONT (1542044121): continue_login (user='IAS\iasuser1')
    6d23h: AAA/AUTHEN (1542044121): status = GETDATA
    6d23h: AAA/AUTHEN (1542044121): Method=radius (radius)
    6d23h: AAA/AUTHEN (1542044121): status = GETDATA
    Wednesday, August 15, 2007 1:01 AM
  • Hi,

     

    That's interesting. It does appear that the client is trying to log in to just the IAS domain instead of IAS.ABC.

     

    I'd like to try a built-in account and see if this has the same problem. Try logging off, click switch user, other user, and log on with User name of ias.abc.com\Administrator, providing the local administrator password. This should still log you into the domain, but with a built-in account.

     

    If this doesn't work, I will have to investigate further. Chris Edson frequently answers questions in this forum and is very good with 802.1X issues. I'll see if I can get him to assist. When I use the Administrator account, here is the debug output from the switch (same as before but with the Administrator acct):


    06:00:01: AAA/MEMORY: create_user (0x80CBAE18) user='CONTOSO\Administrator' ruser='CONTOSO\Administrator' port='FastEthernet0/1' rem_addr='00-06-5B-A6-51-33/00-0D-28-C0-48-41' authen_type=EAP service=802.1x priv=1
    06:00:01: AAA/AUTHEN/START (2985029029): port='FastEthernet0/1' list='Dot1x Acc List' action=LOGIN service=802.1x
    06:00:01: AAA/AUTHEN/START (2985029029): using "default" list
    06:00:01: AAA/AUTHEN/START (2985029029): Method=NPS (radius)
    06:00:01: AAA/AUTHEN (2985029029): status = GETDATA
    06:00:01: AAA/AUTHEN/CONT (2985029029): continue_login (user='CONTOSO\Administrator')

     

    NPS events also show a successful authentication with the Administrator account.

     

    -Greg

    Wednesday, August 15, 2007 2:13 AM
  • well, the logon is okay, but the authentcation still failed with same reason as before...

    1w0d: AAA: parse name=<no string> idb type=-1 tty=-1
    1w0d: AAA/MEMORY: create_user (0x80BD8344) user='host/npsclient1.ias.abc.com' ruser='host/npsclient
    1.ias.abc.com' port='FastEthernet0/17' rem_addr='' authen_type=EAP service=802.1x priv=1
    1w0d: AAA/AUTHEN/START (2216724630): port='FastEthernet0/17' list='Dot1x Acc List' action=LOGIN servi
    ce=802.1x
    1w0d: AAA/AUTHEN/START (2216724630): using "default" list
    1w0d: AAA/AUTHEN/START (2216724630): Method=radius (radius)
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2216724630): continue_login (user='host/npsclient1.ias.abc.com')
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN (2216724630): Method=radius (radius)
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2216724630): continue_login (user='host/npsclient1.ias.abc.com')
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN (2216724630): Method=radius (radius)
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2216724630): continue_login (user='host/npsclient1.ias.abc.com')
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN (2216724630): Method=radius (radius)
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2216724630): continue_login (user='host/npsclient1.ias.abc.com')
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN (2216724630): Method=radius (radius)
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2216724630): continue_login (user='host/npsclient1.ias.abc.com')
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/AUTHEN (2216724630): Method=radius (radius)
    1w0d: AAA/AUTHEN (2216724630): status = GETDATA
    1w0d: AAA/MEMORY: free_user (0x80BD8344) user='host/npsclient1.ias.abc.com' ruser='host/npsclient1.
    ias.abc.com' port='FastEthernet0/17' rem_addr='' authen_type=EAP service=802.1x priv=1
    1w0d: AAA: parse name=FastEthernet0/17 idb type=-1 tty=-1
    1w0d: AAA: name=FastEthernet0/17 flags=0x15 type=7 shelf=0 slot=0 adapter=0 port=17 channel=0
    1w0d: AAA: parse name=<no string> idb type=-1 tty=-1
    1w0d: AAA/MEMORY: create_user (0x80D95228) user='IAS\Administrator' ruser='IAS\Administrator' port='F
    astEthernet0/17' rem_addr='' authen_type=EAP service=802.1x priv=1
    1w0d: AAA/AUTHEN/START (2523003289): port='FastEthernet0/17' list='Dot1x Acc List' action=LOGIN servi
    ce=802.1x
    1w0d: AAA/AUTHEN/START (2523003289): using "default" list
    1w0d: AAA/AUTHEN/START (2523003289): Method=radius (radius)
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2523003289): continue_login (user='IAS\Administrator')
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN (2523003289): Method=radius (radius)
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2523003289): continue_login (user='IAS\Administrator')
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN (2523003289): Method=radius (radius)
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2523003289): continue_login (user='IAS\Administrator')
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN (2523003289): Method=radius (radius)
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2523003289): continue_login (user='IAS\Administrator')
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN (2523003289): Method=radius (radius)
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN/CONT (2523003289): continue_login (user='IAS\Administrator')
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/AUTHEN (2523003289): Method=radius (radius)
    1w0d: AAA/AUTHEN (2523003289): status = GETDATA
    1w0d: AAA/MEMORY: free_user (0x80D95228) user='IAS\Administrator' ruser='IAS\Administrator' port='Fas
    tEthernet0/17' rem_addr='' authen_type=EAP service=802.1x priv=1
    Wednesday, August 15, 2007 5:03 PM
  • Hi,

     

    I've done a little testing, and it looks like it's normal that the client only send the sub-domain during the authentication process. I'll need to check into this further and let you know what I find out.

     

    -Greg

    Wednesday, August 15, 2007 6:10 PM
  • Hi,

     

    I just wanted to let you know that I'll be testing your scenario (with a sub-domain) over the next couple days. I have a Cisco 2950 also, so it should be a good test. It's possible that the 2950 is not passing all the necessary credentials to NPS when you use a sub-domain.

     

    -Greg

    Thursday, August 16, 2007 6:36 PM
  • Hi,

     

    Can you please post your most recent C:\Windows\System32\LogFiles\IN*.log, or send it to me in email.

     

    My email is greglin@online.microsoft.com <-- remove the "online." to actually get my email (done to help avoid scanning bots).

     

    Thanks,

    -Greg

    Saturday, August 18, 2007 1:39 AM
  • Hi Greg,

    I am trying to verify if the environment and infrastructure (with a sub domain) is properly setup and configured, but when I try to obtain a computer certificate on NPS1, all the certificate templates are unavailable (this is same if I logon to NPS1 to DC or sub DC), you wouldn't happen to have any clues on this do you?

    Thanks.
    Wednesday, August 22, 2007 1:08 AM
  • Hi,

     

    Double-click the Computer template in certtmpl.msc on DC1 and check the Security tab. Domain Admins and Domain Computers should already have Enroll permission. Also check the domain that shows next to the group or user name.

     

    You can also double-check that the Computer template is listed in the Certificate Templates container in certsrv.msc. Again, this should be configured by default.

     

    Are you saying that in order to see any templates, you have to select the "Show all templates" check box, and they all appear unavailable?

     

    Edit: I recall now that this is the expected behavior since the 802.1X guide uses WS03 Standard with an Enterprise CA. The "Computer" certificate should be available though.

     

    -Greg

     

    Edit: I checked, and not having a certificate here would fail authentication with a different event message than what you are seeing. Can you confirm that you have a computer certificate on NPS? Also - you mentioned that you may have two DCs in the last reply. Is there more than one?

    Wednesday, August 22, 2007 5:33 AM
  • RE: Can you confirm that you have a computer certificate on NPS? Also - you mentioned that you may have two DCs in the last reply. Is there more than one?
    Yes, the NPS have a computer certificate. This is with the old setup (with the sub/child DC ias.abc.com), however there is a problem with the root DC "abc.com" and it's not available for my usage anymore.

    So in the current setup: the root DC (abc2.com) and sub/child DC (sdc.abc2.com) (DC1 you are referring to?, this is where User1s account, domain Admins rights reside).
    -From certtmpl.msc, for abc2.com, Domain Admins does have Enroll permission for the Computer template.
    -From certtmpl.msc, for sdc.abc2.com, Domain Admins does also have Enroll permission for the Computer template.
    -From certsrv.msc, for abc2.com, Computer template is listed.
    -From certsrv.msc, for sdc.abc2.com, Computer template is also listed.

    RE:
    Are you saying that in order to see any templates, you have to select the "Show all templates" check box, and they all appear unavailable?
    answer: Yes.

    So this is where I am stuck at right now.


    -If I try to request certificate by web page (http://<sdc>/certsrv), logon with domain admins account reside on sdc.abc2.com, no templates found.
    -If I try to request certificate by web page (http://<abc2>/certsrv), logon with domain admins account reside on abc2.com, only Administrator, Basic EFS, EFS Recovery, User, Subordinate CA, and Web Server templates are available. No Computer template.

    This one is intersting:
    -If I try to request certificate by web page (http://<sdc>/cert), logon with domain admins account reside on abc2.com then
    Administrator, Basic EFS, EFS Recovery, User, Subordinate CA, and Web Server templates are available. No Computer template.

    Update:
    I checked the security settings of the Computer template again in certtmpl.msc, and only Groups are abc2\Domain Admins, abc2\Domain Computers... so I try adding sdc\Domain Admins (read/write/enroll) and sdc\Domain Computers (enroll). This is done from sdc, but if i logon as admin account from sdc I get a security error, LDAD://.... if I logon as admin from abc2 then changes to the security setting is saved. But NPS still cannot enroll computer certificate... never mind, just log off and log on again after few minutes and Computer template is available now. Let see what happens.
    Thursday, August 23, 2007 10:17 PM
  • Hi,

     

    If I understand correctly, you've had to reinstall the OS on your DC, and now you can't get a new Computer certificate on NPS. It also appears you are using two DCs with web enrollment installed. This is different from the step by step, but should be supported.

     

    1. Which of the two DCs is your Root CA?

    2. Is the other DC a subordinate CA?

    3. Are the two CAs running enterprise CA or standalone CA?

    4. Are both CAs running Server 2003 standard?

    5. If you open the certificates snap-in for Computer account, Local Computer on the NPS server, then right-click the Personal container and point to All Tasks, do you see Request New Certificate?

    6. If so, and you click Request New Certificate, does the Computer certificate appear as a choice? If the computer certificate is not there, and you select Show all templates, what is the reason next to the Computer template?

     

    -Greg

     

    Edit: just read your update - I'll wait and see what happens now.

    Thursday, August 23, 2007 10:56 PM

  • If I understand correctly, you've had to reinstall the OS on your DC, and now you can't get a new Computer certificate on NPS. --> This is correct. But problem is resolved now. NPS can enroll Computer certificate. Original error code of this thread no longer observed.

    It also appears you are using two DCs with web enrollment installed. --> This is also corect.


    1. Which of the two DCs is your Root CA? abc2.com is root ca

    2. Is the other DC a subordinate CA? yes, other is subordinate ca.

    3. Are the two CAs running enterprise CA or standalone CA? abc2.com is running as enterprise CA and sdc.abc2.com is running subordinate enterprise ca.

    4. Are both CAs running Server 2003 standard? unless System information from general tab of System Properties is incorrect, I am running Server 2003 Enterprise Edition on both.

    5. If you open the certificates snap-in for Computer account, Local Computer on the NPS server, then right-click the Personal container and point to All Tasks, do you see Request New Certificate? Yes, do see Request New Certificate.

    6. If so, and you click Request New Certificate, does the Computer certificate appear as a choice? If the computer certificate is not there, and you select Show all templates, what is the reason next to the Computer template? Issue is resolved now, don't recall exact msg.


    Thanks for all the tips and support Greg.
    Thursday, August 23, 2007 11:46 PM
  • Hi,

     

    Awesome - glad it is working now! I wish I knew what caused the original error message, but I'll have to assume it was an issue with the original DC.

     

    Thanks for testing NAP!

     

    -Greg

     

    Friday, August 24, 2007 12:47 AM