locked
NPS windows server 2012 issue RRS feed

  • Question

  • Good afternoon, 

    I am having an issue with one of my nps role installed on windows server 2012 that is also acting as a secondary domain controller 

    I have imported the nps clients and policies from primary nps that is also my PDC and where everything is working fine , but on the secondary I am having issues to authenticate and authorize users, this is the last part of the relative event log :

    Network Policy Server discarded the request for a user.

    Contact the Network Policy Server administrator for more information.

    Reason Code: 2
    Reason: There are not sufficient access rights to process the request.

    I confirm that this nps server has been properly registerd in active directory and included into IAS and RAS server group; could you please advice ?

    Thanks 

    Luciano


    Saturday, January 11, 2020 2:41 PM

All replies

  • Hi,

    Have you tried to fix issue by following link below?

    Event ID 6274 — NPS Accounting Request Message Processing

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735339(v=ws.10)?redirectedfrom=MSDN

    You can have a look at the similar thread in Forum:

    https://social.technet.microsoft.com/Forums/en-US/1fd7ea3c-972b-4508-a983-d6b56980b010/nps-2008r2-authentication-issue-reason-code-2?forum=winserverNAP

    Hope this can help you, if you have anything unclear, please let me know.

    Have a nice day!

    Ellen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Tuesday, January 14, 2020 9:39 AM
  • Hello Ellen,

    thanks a lot first for you response.

    I tried to reconfigure radius client and the relative network policies as suggested without success, I am sure the policies are ok as I said they have been imported from another nps server that is working properly



    By the way I tried to capture the radius request on the nps server and I have noticed it is correctly receiving the access request from the  authenticator ( a cisco switch in this case ) but it is not replying at these requests , meanwhile it replies to accounting ones when I disconnect from the switch 

    I had a look at doc and it seems very common the windows firewall blocks the outgoing request from the nps server 



    Therefore I created specific rules or disabled the firewall without success 

    Then I also remove the port 1645 from nps global config as indicated in a post I found on internet but still without success 

    I also confirm the service is up and running 

    Any suggestions is very appreciated 



    Thanks 



    Luciano


    Wednesday, January 15, 2020 11:27 AM
  • Hello Luciano,

    What I am about to propose is a "very long shot" (low probability of leading to a solution) for two reasons:

    1. It might not collect any useful data.
    2. It might be inappropriate to share the collected data but too difficult to analyse it yourself.

    The proposal is to make a trace using Event Tracing for Windows and then to share the resulting trace data for analysis (via a OneDrive, Google Drive, etc. link).

    Create a text file named, for example, "providers.lst" and add the following (13) lines:

    {b2cbf6dc-392a-43ae-98d2-1aa66dfcb2c3} 0xFFFFFFFF 255 # IAS NAP NPS
    {bae49237-f9d2-4eea-b660-1aa0f1f5637f} 0xFFFFFFFF 255 # IAS NAP NPS hlpr
    {997590ef-d144-4d41-b7fb-7028ae295b04} 0xFFFFFFFF 255 # IAS NAP NPS sam + nap + svcs
    {822bec9e-660f-4f9d-96b5-ead6874cb0bd} 0xFFFFFFFF 255 # IAS NAP NPS acct
    {c124ef85-9447-4a75-be21-3a97fdda3e81} 0xFFFFFFFF 255 # IAS NAP NPS polcy
    {c2300092-f475-42ae-9ea9-66c268bef2c6} 0xFFFFFFFF 255 # IAS NAP NPS sdo
    {ea500216-dc45-4f41-a1dc-e37ea5df188e} 0xFFFFFFFF 255 # IAS NAP NPS rad
    {574450b9-c7f9-4c05-a01e-b90f8f7744e3} 0xFFFFFFFF 255 # IAS NAP NPS recst + datastore
    Microsoft-Windows-EapHost
    Microsoft-Windows-EapMethods-RasChap
    Microsoft-Windows-EapMethods-RasTls
    Microsoft-Windows-EapMethods-Ttls
    Microsoft-Windows-RRAS

    On the NPS server, issue the command "logman start gary -ets -pf providers.lst -bs 64 -o gary.etl" and then reproduce the problem; finally, stop the trace with the command "logman stop gary -ets".

    Gary

    Wednesday, January 15, 2020 5:34 PM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Ellen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 21, 2020 2:48 AM
  • Hi,

    As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful.

    If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    Best regards,

    Ellen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 10, 2020 11:44 AM