Windows 2012 R2 - NPS in resource forest won't auteticate users in the user forest by UPN, only by DOMAIN\username RRS feed

  • Question

  • Hi there

    I have recently setup a windows 2012 R2 NPS server (for WIFI auth) in our resource forest to replace an aging 2003 RADIUS server.

    The problem I am having is users logging in with their UPNs.

    To give some background our user forest and domains look like company.local and a few child domains department.company.local etc.

    Our resource domain is companyresources.com

    As we use office 365 we had to add UPNs to our users called company.com and set them.

    The NPS cannot authenticate users when they use their user@company.com UPN.

    From logs

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

                Security ID:                              NULL SID
                Account Name:                         user1@company.com
                Account Domain:                                  -
                Fully Qualified Account Name:   -

    Followed by event ID 4402

    There is no domain controller available for domain DOMAIN.

    I believe its cannot translate the Account name into an Account domain when using the UPN we need for office 365 (user1@company.com).

    If I set a test user to a UPN of username@department.company.local it does (however we cannot do this because it will affect our office 365 users)

    Network Policy Server granted access to a user.

                Security ID:                              DOMAIN\user1
                Account Name:                         user1@sales.company.local
                Account Domain:                                  DOMAIN
                Fully Qualified Account Name:   DOMAIN\user1

    or if I use DOMAIN\username

    Network Policy Server granted full access to a user because the host met the defined health policy.

                Security ID:                              DOMAIN\user1
                Account Name:                         DOMAIN\user1
                Account Domain:                                  DOMAIN
                Fully Qualified Account Name:   DOMAIN\user1

    Is there any way I can get my UPN authentication working form the resource domain s I would prefer my users logging into WiFi with their UPNs as we have moved away from the DOMAIN\username method.


    Monday, April 27, 2015 11:38 PM

All replies

  • Also would like to mention that name suffix routing is enabled for *.company.com

    I have tested logging in with user1@company.com on a workstation in the resource domain with no issues, so this must be just effecting NPS.


    Tuesday, April 28, 2015 4:47 AM
  • Hi,

    According to your description, my understanding is that client using UPN can’t be authenticated by NPS server, event ID 4402.

    In general, when NPS is configured as a RADIUS server with the default connection request policy, NPS processes connection requests for the domain in which the NPS server is a member and for trusted domains.

    You may try to use realm names configured in connection request policies to ensure that connection requests are routed from RADIUS clients to RADIUS servers that can authenticate and authorize the connection request.

    You may reference the link below for detailed information:
    Realm Names
    Using Pattern-Matching Syntax in NPS

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, April 29, 2015 7:13 AM
  • Hi Eve

    Thanks for your post. I have looked at realm names too but that does suit our environment as we have many domains which have the UPN of @company.com.

    I believe the issue is related to the explicit UPN.

    When a user is created the default (implicit UPN) is user@company.local or user@sales.copmpany.local , the user can authenticate with the NPS. However as we use office 365 and our domain are .local we need to set these to @company.com which means they are using an explicit UPN.

    It is this explicit UPN i believe won’t authenticate. And I want someone from Microsoft to confirm this is the case as I know other services such as ADFS for example will authenticate explicit UPNs over a forest trust so maybe this is a limitation with NPS.

    Hope that makes sense.


    Monday, May 4, 2015 11:05 PM