locked
NPS - zero client - certificate auth - EAP: Failure RRS feed

  • Question

  • Hi all,

    I'm trying to set up the certificate-based authentication for terminal zero client (DELL FX100 with Teradici firmware if it matters), but the authentication fails.

    I have:

    - certificate with UPN as Subject and <samaccountname>.<domain.name> and <samaccountname> in SAN from our Enterprise Root CA (created from duplicated 'Computer' template to allow custom name)
    - AD user account with assigned public part of the certificate above (using Name Mappings)
    - certificate w/ PK above and CA certificate uploaded to the client and identity set to UPN of the user account above.
    - SPN set to the user account ("host/<samaccountname>", and "host/<samaccountname>.<domain.name>")

    I've created CRP and NP in NPS server via 'Configure 802.1x' wizard with wired settings (no conditions, but the NAS-Type = Ethernet).

    Well, the zero client cannot be authenticate "due to a user credentials mismatch" (reason code 16) - I'm getting the 6273/Network Policy Server Event ID int he security log:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2/21/2013 12:28:31 PM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      NPS.domain.tld
    Description:
    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
    	Security ID:			DOMAIN\DELL-FX100-01
    	Account Name:			DELL-FX100-01@domain.tld
    	Account Domain:			DOMAIN
    	Fully Qualified Account Name:	DOMAIN\DELL-FX100-01
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	OS-Version:			-
    	Called Station Identifier:		3C-DF-1E-71-EE-81
    	Calling Station Identifier:		00-22-5B-02-75-BF
    
    NAS:
    	NAS IPv4 Address:		x.y.z.235
    	NAS IPv6 Address:		-
    	NAS Identifier:			-
    	NAS Port-Type:			Ethernet
    	NAS Port:			50001
    
    RADIUS Client:
    	Client Friendly Name:		cat3560-test
    	Client IP Address:			x.y.z.235
    
    Authentication Details:
    	Connection Request Policy Name:	Secure Wired (Ethernet) Connections
    	Network Policy Name:		Secure Wired (Ethernet) Connections
    	Authentication Provider:		Windows
    	Authentication Server:		NPS.domain.tld
    	Authentication Type:		EAP
    	EAP Type:			Microsoft: Smart Card or other certificate
    	Account Session Identifier:		-
    	Logging Results:			Accounting information was written to the local log file.
    	Reason Code:			16
    	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    


    What could be wrong?

    Regards,
    R.*





    R.*

    Thursday, February 21, 2013 11:32 AM

All replies

  • Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Friday, February 22, 2013 9:42 AM
  • Hi Aiden,

    I really appretiate your help! From Teradici support I have confirmation the settings on zero client and NPS server settings and AD account are the same as on their working test lab. May be the problem is in certificate, I'm actually groping around...

    Regards,

    R.*


    R.*

    Friday, February 22, 2013 2:29 PM
  • Hi,

    Please check the following things:

    1. If you have made the terminal zero client to use the certificate issued to them.

    2. Check if the certificate meets the requirement in the following article:

    support.microsoft.com/kb/814394

    3. The NPS server also needs to use certificate. Please also check if the NPS server is using the certificate in the EAP-TLS method and if the certificate meets the requirement in the article.

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Aiden_Cao Wednesday, February 27, 2013 7:37 AM
    • Unmarked as answer by R.Vojtek Thursday, February 28, 2013 4:19 PM
    Monday, February 25, 2013 7:00 AM
  • Hi Scott,

    sorry for log response time, I've already deploy all certificates needed (for NPS server too), I'll check the client's certificate against the MSKB you posted.

    Regards,
    R.*


    R.*

    Wednesday, February 27, 2013 7:40 AM
  • Hi Scott,

    I've re-generate the certificate according to the MSKB and still no success. However I've noticed the corresponding error that appears everytime the client tries to authenticate:

    Log Name:      System
    Source:        Schannel
    Date:          2/28/2013 5:18:20 PM
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      NPS.domain.loc
    Description:
    The following fatal alert was generated: 51. The internal error state is 1306.
    

    As I can google the error 51 means "TLS1_ALERT_DECRYPT_ERROR" - I've tried to enable TLS 1.0 explicitely using Registry, however the result is still the same...

    Regards,
    R.*


    R.*

    Thursday, February 28, 2013 4:32 PM