locked
NPS - zero client - certificate auth - EAP: Failure RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all,

    I'm trying to set up the certificate-based authentication for terminal zero client (DELL FX100 with Teradici firmware if it matters), but the authentication fails.

    I have:

    - certificate with UPN as Subject and <samaccountname>.<domain.name> and <samaccountname> in SAN from our Enterprise Root CA (created from duplicated 'Computer' template to allow custom name)
    - AD user account with assigned public part of the certificate above (using Name Mappings)
    - certificate w/ PK above and CA certificate uploaded to the client and identity set to UPN of the user account above.
    - SPN set to the user account ("host/<samaccountname>", and "host/<samaccountname>.<domain.name>")

    I've created CRP and NP in NPS server via 'Configure 802.1x' wizard with wired settings (no conditions, but the NAS-Type = Ethernet).

    Well, the zero client cannot be authenticate "due to a user credentials mismatch" (reason code 16) - I'm getting the 6273/Network Policy Server Event ID int he security log:

    Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/21/2013 12:28:31 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      NPS.domain.tld
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			DOMAIN\DELL-FX100-01
	Account Name:			DELL-FX100-01@domain.tld
	Account Domain:			DOMAIN
	Fully Qualified Account Name:	DOMAIN\DELL-FX100-01

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		3C-DF-1E-71-EE-81
	Calling Station Identifier:		00-22-5B-02-75-BF

NAS:
	NAS IPv4 Address:		x.y.z.235
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Ethernet
	NAS Port:			50001

RADIUS Client:
	Client Friendly Name:		cat3560-test
	Client IP Address:			x.y.z.235

Authentication Details:
	Connection Request Policy Name:	Secure Wired (Ethernet) Connections
	Network Policy Name:		Secure Wired (Ethernet) Connections
	Authentication Provider:		Windows
	Authentication Server:		NPS.domain.tld
	Authentication Type:		EAP
	EAP Type:			Microsoft: Smart Card or other certificate
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			16
	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.


    What could be wrong?

    Regards,
    R.*




    R.*

    Thursday, February 21, 2013 11:32 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Aiden

    If you have any feedback on our support, please click here

    Aiden Cao
    TechNet Community Support

    Friday, February 22, 2013 9:42 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Aiden,

    I really appretiate your help! From Teradici support I have confirmation the settings on zero client and NPS server settings and AD account are the same as on their working test lab. May be the problem is in certificate, I'm actually groping around...

    Regards,

    R.*

    R.*

    Friday, February 22, 2013 2:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Please check the following things:

    1. If you have made the terminal zero client to use the certificate issued to them.

    2. Check if the certificate meets the requirement in the following article:

    support.microsoft.com/kb/814394

    3. The NPS server also needs to use certificate. Please also check if the NPS server is using the certificate in the EAP-TLS method and if the certificate meets the requirement in the article.

    Best Regards

    Scott Xie

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Aiden_Cao Wednesday, February 27, 2013 7:37 AM
    • Unmarked as answer by R.Vojtek Thursday, February 28, 2013 4:19 PM
    Monday, February 25, 2013 7:00 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Scott,

    sorry for log response time, I've already deploy all certificates needed (for NPS server too), I'll check the client's certificate against the MSKB you posted.

    Regards,
    R.*

    R.*

    Wednesday, February 27, 2013 7:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Scott,

    I've re-generate the certificate according to the MSKB and still no success. However I've noticed the corresponding error that appears everytime the client tries to authenticate:

    Log Name:      System
Source:        Schannel
Date:          2/28/2013 5:18:20 PM
Event ID:      36888
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      NPS.domain.loc
Description:
The following fatal alert was generated: 51. The internal error state is 1306.

    As I can google the error 51 means "TLS1_ALERT_DECRYPT_ERROR" - I've tried to enable TLS 1.0 explicitely using Registry, however the result is still the same...

    Regards,
    R.*

    R.*

    Thursday, February 28, 2013 4:32 PM