locked
Windows XP PEAP authentication fails RRS feed

  • Question

  • Hello,

    I am trying to make a client computer authenticate with domain credentials to the NPS for wireless network auth. The logs of the NPS server only shows authentication attempts with the computer name. Our setup:

    Client: Windows XP SP3, wireless networks managed by wzcsvc

    The client tries to connect to a wireless network, controlled by a Cisco Wlan Controller. This controller is configured to use the NPS server as Radius.

    NPS and AD server: Windows 2008 R2

    I tried the following without any results:

    • setting the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode to 0 and 1
    • disabling our GPO on the specific laptop and domain user logged on to the laptop


    If I adapt the NPS policy for computer authentication, everything works and access is granted but if I specify a domain user group, the authentication fails.
    I have the impression the wzc tool is a bit buggy, from time to time the NPS logs do not report authentication attempts anymore. After a net stop/start wzcsvc, it works again. I looked around on alot of fora and Microsoft articles but I really can't find what the problem is. Any suggestions?

    Thanks!

    Monday, February 28, 2011 10:07 AM

All replies

  • Hi

    On the client side under  the authentication tab, tick "Enable IEEE 802.1x authentication for this network" EAP type select PEAP,  now right below untick "Authenticate as computer when computer information is available" and also untick "Authenticate as guest when user or comp......."

    Click properties right under EAP type.. were you selected PEAP.

    Tick or untick validate server certificate based on whether or not you are using certs, under "Select Authentication Method: " select Secured Password (EAP-MSCHAP V2) then click configure and tick or untick "Automatically use my windows logon name and password (and domain if any) depending on what your requirements are.

    After this make sure you add the windows groups to your policies in NPS and that the policy is configured correctly for PEAP MSCHAP V2 :)

    Hope this helps you out.. please post up if the problem persists


    tech-nique
    Monday, February 28, 2011 8:30 PM
  • Hello,

    Thank you for the suggestion but that didn't do the trick. To be more clear, I configured the following options on the client:

    • WPA2 with AES
    • Authenticate as computer box unchecked
    • Authenticate as guest unchecked
    • EAP type PEAP
    • c heck server certificate with our domain certificate checked
    • Secured password EAP-MSCHAP v2 with use windows logon name and password checked

    The AuthMode registry value is deleted.

    Every authentication attempt of the laptop generates 3 log entries which are all the same:

    User:
        Security ID:            DOMAIN \KA001135N$
        Account Name:            host/KA001135N.domain .com
        Account Domain:            DOMAIN
        Fully Qualified Account Name:    DOMAIN \KA001135N$

    where DOMAIN is our domain and KA001135 is the name of the computer.

    Funny thing is that one of the local employees has an iPhone configured to be in the domain and this device logs on with user credentials. The request is denied because the user is not part of the user group allowed to connect in the NPS:

    User:
        Security ID:           
    DOMAIN \k00300
        Account Name:            K00300
        Account Domain:           
    DOMAIN
        Fully Qualified Account Name:    domain .com/Departments/CEO Office/First_name Last_name

    where k00300 is domain account of this person.

     

    Perhaps the GPO has changed some security settings which are not undone by simply disabling the GPO? The EAPOL.log file has the following entries in it:

    [2496] 10:21:33:758: EAPOLTrayIconReadyWorker: Advise username = DOMAIN \esger
    [2496] 10:21:34:758: ElGetWinStationUserToken: GetWinStationUserToken failed for SessionId (3) with error (1008)
    [2496] 10:21:34:758: ElGetWinStationUserToken: GetWinStationUserToken failed for session= (3) with error= (1008)
    [2496] 10:21:34:758: EAPOLTrayIconReadyWorker: ElGetWinStationUserToken failed with error 1008

    where esger is my domain account.

    Best regards,

    Esger

    Tuesday, March 1, 2011 4:46 PM
  • Hi Esger

    The default AuthMode on Windows XP is 0, if the user log on is not successful then computer authentication is performed, this seems to be what is happening in your case.

    From what i see in the EAPOL.log file i think there is a problem with getting the account information from the client. Can you try and restart the WZC service on the laptop and try again. I have seen instances where a laptop fails to authenticate until you restart the service. You can run the following commands in command prompt:

    net stop wzcsvc

    net start wzcsvc

    Please try this and test then post if you have any luck :)

    Please note it is not advisable to play around with the registry settings especially for PEAP MSCHAP v2 because correct configuration and setup will work well without the need to go into registry.

     

     


    tech-nique
    Tuesday, March 1, 2011 5:40 PM
  • Hello,

    Thanks again for the tip but I disabled/enabled the wzc service already like a thousand times ;) Also did several reboots and log on/log off's, without any change.

    I have to admit that when I was configuring the setup in our lab, the authentication worked. At every authentication attempt I saw the laptop sending both computer name and domain credentials. Now that everything is on site, it does not work anymore. This is why I taught it could have something to do with the GPO, nothing much has changed except for the GPO.

     

    Thanks again,

    Esger

    Tuesday, March 1, 2011 5:55 PM
  • Hi

    May you, just for testing purposes, untick use windows logon name and password , this will cause a prompt to pop up asking you to enter in your credentials when you try and connect. Then enter your username, password and domain name in the text fields and test.

    Are you testing with one laptop?? can you try another one, configure the settings yourself not through GPO and test to see if it works so we see if the problem is localised to that machine or to many machines.


    tech-nique
    Tuesday, March 1, 2011 6:05 PM
  • Hello,

     

    When I disable the option use windows login name and password , nothing happens. I am not asked for user credentials, the client just keeps trying to connect with the message "Waiting for the network". The EAPOL.log shows the following:

    [1952] 20:41:46:447: ElParseIdentityString: Returned after calling NLARegister_802_1X
    [1952] 20:41:46:447: ElGetIdentity: Userlogged, Prev !Machine auth
    [1952] 20:41:46:447: ElGetIdentity: Userlogged, <Maxauth, Prev !Machine auth: !MD5
    [1952] 20:41:46:447: ElGetUserIdentity entered
    [1952] 20:41:46:447: ElGetWinStationUserToken: GetWinStationUserToken failed for SessionId (2) with error (1008)
    [1952] 20:41:46:447: ElGetWinStationUserToken: GetWinStationUserToken failed for session= (2) with error= (1008)
    [1952] 20:41:46:447: ElGetUserIdentity: ElGetWinStationUserToken failed with error (1008)
    [1952] 20:41:46:447: ElGetUserIdentity completed with error 1008
    [1952] 20:41:46:447: ElGetIdentity: Error in ElGetUserIdentity 1008
    [1952] 20:41:46:447: ElGetIdentity: Userlogged, <Maxauth, Prev !Machine auth: ERROR
    [1952] 20:41:46:447: ElEapMakeMessage: Error in ElGetIdentity 1008
    [1952] 20:41:46:447: ElEapWork: ElEapMakeMessage returned error 1008
    [1952] 20:41:46:447: FSMAcquired: Error in ElEapWork 1008

    For the moment, I only have this one laptop to test on. I will try to get another laptop to do tests but all machines will have the GPO settings applied. The location is several thousands of miles away from here and the connection is awful so it's hard to get fresh machines in the network.

     

    Regards,

    Esger

    Tuesday, March 1, 2011 8:01 PM
  • Hi

    Thats odd.. if you untick automaically use my windows users name and password, it is supposed to prompt you to enter, if it is not prompting you then there seems to be quite the problem. what is the currently set value under AuthMode in registry?? Make sure it is set to 0. do a netstop and netstart of the wzcsvc and try again. You said this set up worked before so i am assuming your access point is configured correctly and your server as well and i am assuming the problem is localised to the laptop.. if we had another laptop it would be easier to run a test. For now go into registry and check the items i mentioned :)


    tech-nique
    Wednesday, March 2, 2011 11:03 AM
  • Hello,

    I added the AuthMode registry with value 0 and rebooted the pc. After making sure the Authenticate as computer box , a uthenticate as guest and use windows logon boxes are unchecked, I tried to connect again. The client still sais "Waiting for the network...", and authentication fails. The NPS log has this entry:

    User:
        Security ID:           
    NULL SID
        Account Name:            admin
        Account Domain:           
    -
        Fully Qualified Account Name:    -

    Any other ideas?

    Thanks for your help,

    Esger

    Wednesday, March 2, 2011 3:50 PM
  • Hi

    Okay can you restart the wzcsvc again and try again, and can you post the entire NPS log for the test this includes NPS connection request policy logs and all that can you please post it up, and when you tried the last time you did not get a windows prompt/pop up asking you to enter in your credentials?? and check to make sure enable fast reconnect is disabled for now :)


    tech-nique
    Wednesday, March 2, 2011 4:08 PM

  • Hello,

    Sorry for the delay. Indeed, I got no pop up or anything like that to provide credentials. In fact, most of the time, not a single NPS log is created on the AD in this case.

    With every connection attempt (when the Authenticate as computer box is enabled), i get 3 log entries, all the same:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          6/03/2011 15:36:52
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      FK-DCSRV-01.DOMAIN.com
    Description:
    Network Policy Server denied access to a user.
     
    Contact the Network Policy Server administrator for more information.
     
    User:
        Security ID:            DOMAIN\KA001135N$
        Account Name:            host/KA001135N.DOMAIN.com
        Account Domain:            DOMAIN
        Fully Qualified Account Name:    DOMAIN\KA001135N$
     
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        00-3a-98-8a-11-60:DOMAIN Wifi
        Calling Station Identifier:        78-e4-00-61-be-0c
     
    NAS:
        NAS IPv4 Address:        10.1.1.11
        NAS IPv6 Address:        -
        NAS Identifier:            Cisco_8e:2c:e4
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            13
     
    RADIUS Client:
        Client Friendly Name:        FK-WLAN_CTRL
        Client IP Address:            10.1.1.11
     
    Authentication Details:
        Connection Request Policy Name:    Use Windows authentication for all users
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        FK-DCSRV-01.DOMAIN.com
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            48
        Reason:                The connection request did not match any configured network policy.
     
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>6273</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2011-03-06T13:36:52.721023600Z" />
        <EventRecordID>2271634</EventRecordID>
        <Correlation />
        <Execution ProcessID="656" ThreadID="7144" />
        <Channel>Security</Channel>
        <Computer>FK-DCSRV-01.DOMAIN.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-2596585717-1200327576-1518998471-1197</Data>
        <Data Name="SubjectUserName">host/KA001135N.DOMAIN.com</Data>
        <Data Name="SubjectDomainName">DOMAIN</Data>
        <Data Name="FullyQualifiedSubjectUserName">DOMAIN\KA001135N$</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">00-3a-98-8a-11-60:DOMAIN Wifi</Data>
        <Data Name="CallingStationID">78-e4-00-61-be-0c</Data>
        <Data Name="NASIPv4Address">10.1.1.11</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">Cisco_8e:2c:e4</Data>
        <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
        <Data Name="NASPort">13</Data>
        <Data Name="ClientName">FK-WLAN_CTRL</Data>
        <Data Name="ClientIPAddress">10.1.1.11</Data>
        <Data Name="ProxyPolicyName">Use Windows authentication for all users</Data>
        <Data Name="NetworkPolicyName">-</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">FK-DCSRV-01.DOMAIN.com</Data>
        <Data Name="AuthenticationType">EAP</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">48</Data>
        <Data Name="Reason">The connection request did not match any configured network policy.</Data>
        <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
      </EventData>
    </Event>

     

    The EAPOL.log gives (just the beginning, the log is too long):

     [304] 15:33:02:767: ElUserLogonCallback: UserloggedOn = 0
    [304] 15:33:02:767: ElCheckUserModuleReady: No user logged on
    [304] 15:33:02:767: ElUserLogonCallback: completed with error 0
    [1420] 15:33:11:907: ElSessionChangeHandler: LOGON for session = (0)
    [1948] 15:33:11:923: ElUserLogonCallback: UserloggedOn = 1
    [1948] 15:33:11:923: ElUserLogonCallback: User logon already detected, returning without processing
    [1948] 15:33:11:923: ElUserLogonCallback: completed with error 0
    [3612] 15:33:16:360: EAPOLQueryGUIDNCSState: 802.1X Port Inexistant for {6733F54C-227D-47B0-A4B4-765474D462CD}. Returning S_OK
    [3612] 15:33:16:407: EAPOLQueryGUIDNCSState: 802.1X Port Inexistant for {A027B1AD-E678-48EE-8E9C-16F6C6127D89}. Returning S_OK
    [1744] 15:33:20:751: EAPOLTrayIconReady: Advise username = DOMAIN\esger
    [1948] 15:33:20:767: EAPOLTrayIconReadyWorker: Advise username = DOMAIN\esger
    [1948] 15:33:21:767: ElGetWinStationUserToken: GetWinStationUserToken failed for SessionId (3) with error (1008)
    [1948] 15:33:21:767: ElGetWinStationUserToken: GetWinStationUserToken failed for session= (3) with error= (1008)
    [1948] 15:33:21:767: EAPOLTrayIconReadyWorker: ElGetWinStationUserToken failed with error 1008
    [1948] 15:33:22:767: ElGetWinStationUserToken: GetWinStationUserToken failed for SessionId (3) with error (1008)
    [1948] 15:33:22:767: ElGetWinStationUserToken: GetWinStationUserToken failed for session= (3) with error= (1008)
    [1948] 15:33:22:767: EAPOLTrayIconReadyWorker: ElGetWinStationUserToken failed with error 1008
    [1948] 15:33:23:767: ElGetWinStationUserToken: GetWinStationUserToken failed for SessionId (3) with error (1008)
    [1948] 15:33:23:767: ElGetWinStationUserToken: GetWinStationUserToken failed for session= (3) with error= (1008)
    [1948] 15:33:23:767: EAPOLTrayIconReadyWorker: ElGetWinStationUserToken failed with error 1008
    [3612] 15:34:09:188: EAPOLQueryGUIDNCSState: 802.1X Port Inexistant for {6733F54C-227D-47B0-A4B4-765474D462CD}. Returning S_OK
    [3612] 15:34:09:203: EAPOLQueryGUIDNCSState: 802.1X Port Inexistant for {6733F54C-227D-47B0-A4B4-765474D462CD}. Returning S_OK
    [1744] 15:34:09:203: EAPOLQueryGUIDNCSState: 802.1X Port Inexistant for {A027B1AD-E678-48EE-8E9C-16F6C6127D89}. Returning S_OK
    [1744] 15:34:09:203: EAPOLQueryGUIDNCSState: 802.1X Port Inexistant for {A027B1AD-E678-48EE-8E9C-16F6C6127D89}. Returning S_OK
    [1608] 15:34:16:719: ElGetInterfaceParams:  SsidLength=<12>, Found EapTypeId=<25>, SSIDLen=<12>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<13>, Offset=<52/202>, dwAuthData=<40>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<13>, Offset=<52/202>, dwAuthData=<40>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<25>, Offset=<52/202>, dwAuthData=<86>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<25>, Offset=<52/202>, dwAuthData=<86>
    [3352] 15:34:16:719: ElGetInterfaceParams:  SsidLength=<10>, Found EapTypeId=<13>, SSIDLen=<10>
    [1608] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<10>, EapTypeId=<13>, Offset=<52/104>, dwAuthData=<40>
    [1608] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<10>, EapTypeId=<13>, Offset=<52/104>, dwAuthData=<40>
    [1608] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<10>, EapTypeId=<25>, Offset=<52/104>, dwAuthData=<0>
    [1608] 15:34:16:719: ElGetInterfaceParams:  SsidLength=<12>, Found EapTypeId=<25>, SSIDLen=<12>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<13>, Offset=<52/202>, dwAuthData=<40>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<13>, Offset=<52/202>, dwAuthData=<40>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<25>, Offset=<52/202>, dwAuthData=<86>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<12>, EapTypeId=<25>, Offset=<52/202>, dwAuthData=<86>
    [3352] 15:34:16:719: ElGetInterfaceParams:  SsidLength=<10>, Found EapTypeId=<13>, SSIDLen=<10>
    [1608] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<10>, EapTypeId=<13>, Offset=<52/104>, dwAuthData=<40>
    [1608] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<10>, EapTypeId=<13>, Offset=<52/104>, dwAuthData=<40>
    [1608] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<10>, EapTypeId=<25>, Offset=<52/104>, dwAuthData=<0>
    [1608] 15:34:16:719: ElGetInterfaceParams:  SsidLength=<4>, Found EapTypeId=<13>, SSIDLen=<4>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<4>, EapTypeId=<13>, Offset=<52/104>, dwAuthData=<40>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<4>, EapTypeId=<13>, Offset=<52/104>, dwAuthData=<40>
    [3352] 15:34:16:719: ElGetCustomAuthData: SSIDLen=<4>, EapTypeId=<25>, Offset=<52/104>, dwAuthData=<0>
    [3352] 15:34:26:453: ElSetCustomAuthData: EapTypeId=<13>, SSIDLength=<10>, InfoLength=<40>
    [3352] 15:34:26:453: ElSetCustomAuthData: Set value succeeded, fFound=<1>, dwEapBlob=<104>, dwSizeOfSSID=<10>
    [3352] 15:34:26:453: ElSetCustomAuthData: EapTypeId=<25>, SSIDLength=<10>, InfoLength=<0>
    [3352] 15:34:26:453: ElSetCustomAuthData: Set value succeeded, fFound=<1>, dwEapBlob=<104>, dwSizeOfSSID=<10>
    [3352] 15:34:26:453: ElSetInterfaceParams:  EapTypeId=<13> SSIDLen=<10>
    [3352] 15:34:26:453: Setting stuff in registry for {8F1E924D-7FFD-448B-8EDE-432ACCED474F}
    [3352] 15:34:26:453: ElSetInterfaceParams: Succeeded,  EapTypeId=<13> fFound=<1>, SSIDLen=<10>
    [3352] 15:34:26:453: ElPostEapConfigChanged: SSIDLength=<10>
    [304] 15:34:26:453: ElGetInterfaceParams:  SsidLength=<10>, Found EapTypeId=<13>, SSIDLen=<10>
    [304] 15:34:26:453: ElProcessEapConfigChange: PCB not started, not enabled
    [304] 15:34:26:453: ElProcessEapConfigChange: Finished with error 0
    [1608] 15:34:26:453: ElSetCustomAuthData: EapTypeId=<13>, SSIDLength=<4>, InfoLength=<40>
    [1608] 15:34:26:453: ElSetCustomAuthData: Set value succeeded, fFound=<1>, dwEapBlob=<104>, dwSizeOfSSID=<4>
    [1608] 15:34:26:453: ElSetCustomAuthData: EapTypeId=<25>, SSIDLength=<4>, InfoLength=<0>
    [1608] 15:34:26:453: ElSetCustomAuthData: Set value succeeded, fFound=<1>, dwEapBlob=<104>, dwSizeOfSSID=<4>
    [1608] 15:34:26:453: ElSetInterfaceParams:  EapTypeId=<13> SSIDLen=<4>
    [1608] 15:34:26:453: Setting stuff in registry for {8F1E924D-7FFD-448B-8EDE-432ACCED474F}
    [1608] 15:34:26:453: ElSetInterfaceParams: Succeeded,  EapTypeId=<13> fFound=<1>, SSIDLen=<4>
    [1608] 15:34:26:453: ElPostEapConfigChanged: SSIDLength=<4>
    [304] 15:34:26:453: ElGetInterfaceParams:  SsidLength=<4>, Found EapTypeId=<13>, SSIDLen=<4>
    [304] 15:34:26:453: ElProcessEapConfigChange: PCB not started, enabled, starting PCB
    [304] 15:34:26:453: ElZeroConfigNotify: Handle=(0), failcount=(0), lastauthtype=(0)
    [304] 15:34:26:469: ElEnumAndOpenInterfaces: DeviceDesc = , GUID = {8F1E924D-7FFD-448B-8EDE-432ACCED474F}
    [304] 15:34:26:469: ElNdisuioEnumerateInterfaces: Opening handle
    [304] 15:34:26:469: NdisuioEnumerateInterfaces: NDISUIO bound to: (0) \DEVICE\{8F1E924D-7FFD-448B-8EDE-432ACCED474F}
         - Dell Wireless 1510 Wireless-N WLAN Mini-Card - Packet Scheduler Miniport
     
    [304] 15:34:26:469: NdisuioEnumerateInterfaces: NDISUIO bound to: (1) \DEVICE\{6733F54C-227D-47B0-A4B4-765474D462CD}
         - Intel(R) 82567LM Gigabit Network Connection - Packet Scheduler Miniport
     
    [3352] 15:34:26:469: ElWZCCfgUpdateSettings[2]: Deleting creds ...
    [304] 15:34:26:469: ElNdisuioEnumerateInterfaces: DeviceIoControl IOCTL_NDISUIO_QUERY_BINDING has no more entries
    [304] 15:34:26:469: Device: \DEVICE\{8F1E924D-7FFD-448B-8EDE-432ACCED474F}
    [304] 15:34:26:469: Description: Dell Wireless 1510 Wireless-N WLAN Mini-Card - Packet Scheduler Miniport
    [304] 15:34:26:469: ElEnumAndOpenInterfaces: Found interface after enumeration \DEVICE\{8F1E924D-7FFD-448B-8EDE-432ACCED474F}
    [304] 15:34:26:469: ElEnumAndOpenInterfaces: Did NOT find PCB already existing for interface
    [304] 15:34:26:469: ElOpenInterfaceHandle: Opening handle for \DEVICE\{8F1E924D-7FFD-448B-8EDE-432ACCED474F}
    [304] 15:34:26:469: ElOpenInterfaceHandle: Trying to access NDIS Device: \DEVICE\{8F1E924D-7FFD-448B-8EDE-432ACCED474F}  

    I hope you can help me.

    Thanks and regards,

    Esger

    Sunday, March 6, 2011 2:15 PM
  • Hi there,

     

    Did you ever find a solution to this? I have a situation exactly the same. it doesn't matter what combination of reg keys or tickboxes I change. It will only work with computer account, it will never try a username, and will never prompt for one either.

    Very strange....

     

    Monday, May 16, 2011 4:54 AM
  • Hello,

    A few weeks later, I went on site to do the rest of the setup. To my surprise, when I got there, everything worked perfectly.

    After doing a few little tests I saw that when I connected via RDP to the wireless client, it just didn't work. When trying directly on the laptop it works fine.

    So I guess something with the combination RDP - wifi doesn't work right.

     

    Regards,

    Esger Mutsaerts

    Monday, May 16, 2011 7:37 AM
  • We had lots of issues with Windows XP sp3 computers with PEAP when we moved to our 2k8 box, the below hotfix solved our solution.

    http://support.microsoft.com/kb/969111

     

    All our windows 7 computers would authenticate correctly, but when our xp machines logged on, it would just sit on authenticating.

    Monday, May 30, 2011 3:16 AM
  • Dear all,

    I have a similar problem.

    If I choose domain computer instead of domain user in NPS policy,windows XP SP3 client will fail to authenticate.

    Window 7 client is no problem in either configuration.The only difference as I can see in NPS event log is "SubjectUserName". Windows 7 client will bring host\... and Windows XP is domain\user name format.Is there any way to fix it?

    Thanks and regards,

    Eric

    Monday, August 15, 2011 4:23 AM
  • I followed the link mentioned above but to be honest it does not tell me how to apply the fix. I have been looking for the corresponding dll on the internet but I don't really trust such files if they don't come from Microsoft.

    However since the link mentions which dll seems to be the cause of the problem: Rastls.dll, I checked which version I have.

    I have the version 5.1.2600.5886, then I searched in google in which update this was delivered. I found out it was delivered with KB974318.

    Next step, open "Add or remove programs" from the control panel. Ensure the check box "Show updates" is set. Look for the update with the corresponding KB number and remove it.

    Restart the computer and now I can connect again :-)

    I might not be the nicest solution but at least for me it works.

    Tuesday, December 13, 2011 5:28 PM
  • There is an Option in Radius server where you can Enable PEAP and at the same time enable policy for Computer or User it will help authenticate .

    Let me know if you need any details or Issue is resolved .


    ********************************************************************** Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Anand Shankar

    • Proposed as answer by Anand - Tuesday, September 24, 2013 12:03 PM
    Tuesday, September 24, 2013 9:43 AM
  • I have the opposite issue as well. Windows XP clients fail to authenticate with NPS using the computer name but will authenticate with the username. Windows 7 works with both. I would love to know how to fix this!

    Thanks.

    Wednesday, November 20, 2013 7:54 PM
  • Please Start a new thread and will help you with Settings for the same

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Anand Shankar

    Wednesday, December 4, 2013 12:21 PM