locked
NPS on SBS 2008 and problem with conditions for computer groups RRS feed

  • Question

  • Hello,

    I have SBS with NPS, that authenticate VPN clients.

    If I set up condition, that users must be member of specific AD user group to connect, it works ok. But when I want to have one other condition, that also the device, the user is dialing VPN from, is a member of AD computer group it stops working.

    In server logs are errors, that user doesn't have rights to connect to the network. (ID 20271)

    Is there any special how-to to make working two conditions (first - user is part of specific AD user group, second - computer is part of specific AD computer group)?

    Thanks for help

    J.Slady

    Thursday, August 29, 2013 2:59 PM

Answers

  • Hi, I was wrong in my initial statement above about configuring a user group in connection request policy. I'm going to edit the statement so it isn't hit by search engines and confuses anyone.

    Connection request policy does indeed perform authorization, but it is based on the user account, not a group. You can't add a group condition here. You can only add a group condition in network policy (and only a user group works).

    I ran some tests and also found that it isn't possible to add a computer group condition in network policy and get it to work for VPN connections.

    I created two polices, one with a condition for a user group where I added my user to that group, and a second policy with a condition for a computer group, and added the client computer to that group. The VPN connection always matches the user group policy. If I disable that policy, it refuses to match the computer group policy.

    This makes sense because if you look at the event when a VPN client makes a connection, the client computer information is NULL SID which means it isn't sending the FQDN of the computer.  Without the FQDN, it is not possible to identify the computer and therefore any computer group condition will fail.

    I will keep looking at this. If a computer group condition is critical, you could use a certificate based authentication and only issue certificates to a certain computer group.

    -Greg



    Friday, August 30, 2013 10:26 PM

All replies

  • Hi,

    It’s better to use both user authentication and computer authentication for security consideration.

    In this case, I recommend you to use password-based authentication.

    Password-Based Authentication Method

    http://technet.microsoft.com/en-us/library/cc732393(v=WS.10).aspx

    Friday, August 30, 2013 1:54 PM
  • Hi,

    Authentication never sends two credentials (user and computer). It will always only send one set, so you cannot combine conditions for both user and computer groups in one policy. 

    It's been a while since I've tested VPN conditions but I'll try to configure this in a lab setup and verify that it works as expected. Let me know if this helps.

    -Greg


    Friday, August 30, 2013 4:38 PM
  • Hi, I was wrong in my initial statement above about configuring a user group in connection request policy. I'm going to edit the statement so it isn't hit by search engines and confuses anyone.

    Connection request policy does indeed perform authorization, but it is based on the user account, not a group. You can't add a group condition here. You can only add a group condition in network policy (and only a user group works).

    I ran some tests and also found that it isn't possible to add a computer group condition in network policy and get it to work for VPN connections.

    I created two polices, one with a condition for a user group where I added my user to that group, and a second policy with a condition for a computer group, and added the client computer to that group. The VPN connection always matches the user group policy. If I disable that policy, it refuses to match the computer group policy.

    This makes sense because if you look at the event when a VPN client makes a connection, the client computer information is NULL SID which means it isn't sending the FQDN of the computer.  Without the FQDN, it is not possible to identify the computer and therefore any computer group condition will fail.

    I will keep looking at this. If a computer group condition is critical, you could use a certificate based authentication and only issue certificates to a certain computer group.

    -Greg



    Friday, August 30, 2013 10:26 PM
  • Thank you Greg for your help! Certs were my second option, but I didn't want to start with them, before I check, that groups conditions are really not working as I expected.

    J.Slady

    Tuesday, September 3, 2013 7:46 AM
  • Computer groups are possible for some authentication attempts, like 802.1X and NAP with DHCP enforcement because the FQDN is sent in the authentication request.  I wasn't sure about VPN but apparently it is not sent. I know it's confusing that the condition is available - but this is for other types of authentication.
    Tuesday, September 3, 2013 8:28 AM