locked
NPS fails to authenticate proxied requests from IAS RRS feed

  • Question

  • I am trying to get a 2008 R2 NPS server to authenticate radius requests forwarded to it by a 2003 IAS radius server.

    The client is a Cisco VPN concentrator. I have this concentrator setup to use either the 2003 IAS or the 2008 R2 NPS and it can successfully authenticate users against both when testing. My current issue is I have users in 2 different domains.

    Domain A uses the 2003 IAS
    Domain B uses the 2008 R2 NPS

    For a particular VPN group I am setting up, the users could be in either of the domains. I configured the concentrator to use the 2003 IAS server and setup a Remote Radius Server group to forward Domain B users login requests to the 2008 R2 NPS server. I can see the requests are making it to the NPS server but it keeps rejecting the login with

    Reason Code: 16
    Reason: Authentication was not successful because an unknown user name or incorrect password was used.


    Under the user section of the same event, I can see the account name, account domain, and FQAN match a successful login event when I test the concentrator directly with the NPS server, so I am lost as to what the problem is. The only piece that does not match between the two event logs is Security ID. In the failed log, it's NULL SID.

    Any suggestions?

    Denny 

    Thursday, June 21, 2012 12:36 AM

Answers

  • I just figured it out. It turns out the error message was a bit misleading. The problem wasn't with the user credentials, it was with the radius shared secret. Once I reapplied the secret to both IAS and NPS, the problem cleared up.

    Denny

     
    • Marked as answer by dlester Thursday, June 21, 2012 1:10 AM
    Thursday, June 21, 2012 1:10 AM