locked
NPS Realm Rewriting doesn't work RRS feed

  • Question

  • In trying to find a solution to a greater problem, I'm trying to use a rewrite rule to change the User-Name attribute to include the domain name. I've tried a few ways of doing it:

    Find: ^
    Replace With: STUDENTS\

    Find: $
    Replace With: @students.our.FQDN

    Find: (.*)
    Replace With: STUDENTS\$1

    Each time, our PEAP / EAP-MSCHAP-V2 clients don't get authorized unless they specify the domain name in their username, which is exactly what I'm trying to avoid. Instead the NPS tries to authenticate BACKUP\username which doesn't work, BACKUP being the forest root which is where the server lives. I can change this behaviour using the DefaultDomainName registry key, but these rewrite rules need to be different per connection request policy, and the registry key is server-wide.

    Why doesn't this functionality work for me? Is it something daft like because the PEAP connection is TLS encrypted NPS can't access the username at the stage where rewrite rules are applied?

    Thursday, January 6, 2011 4:09 PM

Answers

  • Hi,

     

    Thanks for update.

     

    Ok , you could select “ Include Windows logon domain check box “ on windows base client ,so that “domain” filed will be shown .

    Please refer Figure 4 in article “ Connect to Your Corporate Network from Home with Windows XP “ which posted in my last reply .

     

    Like what I mentiond, I’m afraid you have to assign this infromation for authentication and this is by desgin.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, January 7, 2011 10:49 AM

All replies

  • Hi,

     

    Do you try to perform remote connection by using windows build in dialing program?

    If yes, you should assign logon domain in “domain” field for authentication:

     

     

     Figure 5

     

    Connect to Your Corporate Network from Home with Windows XP

    http://www.microsoft.com/windowsxp/using/networking/expert/russel_02july15.mspx

     

    Meanwhile, you could customize VPN client side application and internface by using CMAK (Connection Manager Administration Kit)

     

    For more information please refer to the link below:

     

    Connection Manager Administration Kit

    http://technet.microsoft.com/en-us/library/cc752995.aspx

     

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, January 7, 2011 9:07 AM
  • The clients are connecting via wifi access points, so not all of them are windows based, and those that are (Win7, Vista) don't prompt for a domain, and the point is that I don't want users to have to enter a domain!

    Also I am not in control over the clients so I can't customize them with CMAK.

    Friday, January 7, 2011 9:12 AM
  • Hi,

     

    Thanks for update.

     

    Ok , you could select “ Include Windows logon domain check box “ on windows base client ,so that “domain” filed will be shown .

    Please refer Figure 4 in article “ Connect to Your Corporate Network from Home with Windows XP “ which posted in my last reply .

     

    Like what I mentiond, I’m afraid you have to assign this infromation for authentication and this is by desgin.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, January 7, 2011 10:49 AM
  • So there is no way of adding the domain information using NPS rewrite rules, if the client does not enter it? Surely that's what the rewrite functionality is there for - the examples I've found certainly suggest this is possible!
    Friday, January 7, 2011 1:57 PM