locked
NPS. User Group condition not working RRS feed

  • Question

  • There are domains A and B. There is external two way trust between them. In domain A we have server with NPS role only. Connection Request policy and Network policy are configured. In network policy we have a one condition - "User groups". This group is security group in domain A with domain local scope. In this group there are two users. One from domain A, another from domain B. For user from domain A all works well. For user from domain B we have a error when connecting "The connection request did not match any configured network policy". If add a group from domain B to this condition, then user from domain B also connecting well. Can anyone tell why?

    If NPS work on domain controller, then i need add only one group from domain A in condition. Users from domain A and domain B connecting well. I need NPS without domain controller role and only one group from domain A in condition.

    Saturday, April 4, 2015 7:27 AM

Answers

  • >>We can add the users from trusted external domain into a universal group.

    Steven_Lee0510, you are wrong. Please read this:

    https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

    About my problem: We are opened case in Microsoft, and answer was - "It's a bug". 

    Sunday, April 19, 2015 11:28 AM

All replies

  • I found, that problem occur when PEAP configured in Network policy. If disable PEAP, then users from both domains connect well via MS-CHAPv2. So how can i configure PEAP?
    • Edited by ITsnik Sunday, April 5, 2015 4:33 AM
    Sunday, April 5, 2015 3:28 AM
  • Hi,

    Where did you configure the PEAP? Do you mean that if you configure the PEAP in the network policy, the authentication will fail with the error "The connection request did not match any configured network policy"?

    Normally, NPS use the condition to match the network policy. If we didn't change the condition of the network policy, it should be matched. Please check if the condition is misconfigured.

    If issue persists, please try to re-create a new network policy.

    Best regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 6, 2015 11:39 AM
  • Thanks for reply. And really hope then you can help me.

    I have only one network policy. In this policy one condition rule - "User Groups". In this rule used only one security group from domain A. In this group users from domains A and B. Also in network policy used PEAP (EAP-MSCHAPv2) authentication method. With this configuration, only users from domain A can successful connect to network. For users from domain B i can see error in event log on NPS "The connection request did not match any configured network policy". If i change authentication method to MS-CHAP-v2, then users from both domain can successful connect to network. Thus condition in network policy is not misconfigured. 

    Additionally:

    - If NPS works on Domain Controller, then with same conditions all works fine. Users from domain B can successful connect to network.

    - If add group from domain B to condition, then users from domain B can successful connect to network even with EAP-MSCHAPv2. But i don't' want add group from domain B.

    I tried to recreate network policy, upgrade NPS to Windows 2012, add NPS to group "RAS and IAS Servers" in both domains. I believe that missing something in configuration.



    • Edited by ITsnik Tuesday, April 7, 2015 7:47 AM
    Monday, April 6, 2015 11:07 PM
  • Please, any ideas?
    Wednesday, April 8, 2015 7:26 AM
  • Hi,

    What's the type of your group? If it is not universal, please try to change it to universal.

    Besides, the PEAP require certificate, could you please provide the detailed information about your PEAP configuration?

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, April 8, 2015 9:59 AM
  • Hi,

    Group is "domain local" because i need add users from trusted external domain (another forest). Therefore a can't use universal group.

    On NPS i use certificate issued by internal CA located in domain A. Certificate template is "RAS and IAS Server". This certificate used in PEAP authentication method. All settings by default. 

    RootCA certificate imported to Trusted Root CA on client machine. Thus, certificate of NPS is trusted.

    Wednesday, April 8, 2015 10:33 AM
  • Today i found one more interesting thing. If create local group on NPS server and add users from domain B to this group, then use this group in network policy, users will successfully connect to network. 
    Thursday, April 9, 2015 12:39 AM
  • No ideas?
    Thursday, April 9, 2015 10:43 PM

  • Hi,

    >>Group is "domain local" because i need add users from trusted external domain (another forest). Therefore a can't use universal group.

    We can add the users from trusted external domain into a universal group.

    Besides, please try to enable both MSCHAPv2 and PEAP in the network policy. Then we cancheck which authentication method is used in the event log.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 13, 2015 2:28 AM
  • >>We can add the users from trusted external domain into a universal group.

    Steven_Lee0510, you are wrong. Please read this:

    https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

    About my problem: We are opened case in Microsoft, and answer was - "It's a bug". 

    Sunday, April 19, 2015 11:28 AM
  • Hi,

    >>Steven_Lee0510, you are wrong. Please read this:

    https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

    I'm so sorry about my misleading. Thanks for correcting me!

    >>About my problem: We are opened case in Microsoft, and answer was - "It's a bug". 

    Thanks for the sharing! Your effort and time will be appreciated.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 20, 2015 5:15 AM
  • Thanks that you tried to help me.

    According to information from Microsoft, this bug unlikely will be resolved in Windows 2008 R2. Hope that will be resolved in Windows 2012 R2.

    Tuesday, April 21, 2015 12:44 AM
  • Did you ever get this resolved - we are running into the exact same bug with the exact same details...all the way down to being able to add a local server group on the nps server and add the remote forest users to that group and they auth fine.  I also notice that when using the local forest group containing remote forest users, when the NPS server goes to authenticate, there is an event log in the remote forest DC which indicates successful authentication from the NPS server.  This means the communication and server auth is good, just the lookup of members is barfing.

    Did you ever get a bug number for this issue to track if it is going to be fixed?

    Monday, March 7, 2016 10:15 PM
  • Hi, wizardberry2!

    Unfortunately we don't have bug number. MS asked us describe in detail how exactly this bug affects to our business to try fix it in 2012 R2. We tried hard, but couldn't to do so. Taking into account complexity of the solution and availability of a workaround, MS rejected our request. So in 2012 R2 this bug also exist :( Hope, they fix it in future releases.

    Monday, March 14, 2016 1:35 PM