locked
NPS authenficaition problem RRS feed

  • Question

  • Hello,

    We are in the middle of migrating computers from XP to 7.
    We have XP laptop that can connect to wifi via  the NPS.
    We have 2 rules: 1 computer based rule(no nap configured) and a user based rule.

    When we install a computer from scratch to windows 7 the computer can conncet without problem.

    But some XP laptops are taken from users and are remastered with windows 7. At the end of the process the user cannot connect to the wifi ...
    With this laptop we are getting event id 6273 with code 16

    thanks

    Friday, May 23, 2014 12:57 PM

All replies

  • Good day, Have you reviewed the technet article below?

    http://technet.microsoft.com/en-us/library/cc735399(v=ws.10).aspx

    Friday, May 23, 2014 1:14 PM
  • Not this one, but everything is working great expect for computer we migrated from XP to 7 ...

    The radius is working fine

    Friday, May 23, 2014 1:31 PM
  • based on the event the user is being denied. The article I posted also lists troubleshooting steps, have you tried those trouble shooting steps? Have you ensured the windows 7 device can use EAP (EAP service is started)? Have you gone into task schedueler/Microsoft/Windows/Certificateservices and ensure usertask is status ready and last results are 0x0? What does the security log give you in errors? system log/ netlogon errors?
    Friday, May 23, 2014 1:44 PM
  • the service is enabled, and the task last result is 0x0

    and yes the steps are already checked. Certicates are good too

    The thing is that we cannot provide any credentials since it's the computer trying to authenticate.

    If the computer manage to authenticate, the the user credentials are checked. With these computers were are stuck at the computer authentification

    Friday, May 23, 2014 2:08 PM
  • Is the computer able to login to the domain (bypass the NPS for now) and get domain policy? Is the required ports open? Link below.

    http://msdn.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
    Friday, May 23, 2014 2:13 PM
  • yes it can

    just did a gpupdate /force, and everything is working fine.

    We are able to log with no problems.

    Friday, May 23, 2014 2:15 PM
  • Is the computer certificate installed on the NPS server?
    Friday, May 23, 2014 2:17 PM
  • uh what do you mean ?

    we are using a trusted certificated on the nps, so we dont do any manipulation with certificates.

    (the nsp is installed on one of our DC)

    Friday, May 23, 2014 2:20 PM
  • Regardless of which authentication method used for wireless connections, computer certificates must be installed on the NPS servers. For PEAP-MS-CHAP v2, there is no need to deploy a certificate infrastructure to issue computer and user certificates for each wireless client computer. Instead, you can obtain individual certificates for each NPS server from a commercial CA and install them on the NPS servers. For computer authentication with EAP-TLS or PEAP-TLS, a computer certificate, also known as a machine certificate, must be installed on each wireless client computer. For user authentication with EAP-TLS or PEAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer.

    I assume you are using EAP and not chap thus why I asked

    Friday, May 23, 2014 2:24 PM
  • weel, you guessed wrong ;)

    we are using peap-ms-chap-v2
    xD

    Friday, May 23, 2014 2:31 PM
  • Below is a networking blog regarding NPS and 802.1x setup. It is from build to production but it may offer some insight for things to check.

    http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

    Also have you used any of the connection request policy commands in your troubleshooting?

    Example: "Show crpconditionattributes"

    Friday, May 23, 2014 2:34 PM
  • Is the Windows 7 PC configured either locally or by GPO to "Validate server certificate"? The blog below is the reasoning for my question.

    http://blogs.catapultsystems.com/IT/archive/2013/12/13/mystery-solved-windows-7-and-windows-8-treat-%E2%80%9Cvalidate-server-certificate%E2%80%9D-differently-in-802-1x.aspx
    Friday, May 23, 2014 2:40 PM
  • subject name is not empty ... :( thanks for the idea
    Friday, May 23, 2014 2:47 PM
  • So does that mean you found a cause to the issue?

    Friday, May 23, 2014 2:50 PM
  • nope
    Friday, May 23, 2014 2:59 PM
  • So the workstation does have "Validate server certificate" enabled? either locally or by GPO?
    Friday, May 23, 2014 3:01 PM
  • we thought there could be duplicate spn since the machine was reinstalled from xp to 7. We checked and there were no duplicate spn.

    (in the process, the support team is supposed to take the laptop off the domain, and then install windows 7 with MDT)

    by the way sorry for my english ...

    Friday, May 23, 2014 3:03 PM
  • Is the SSL Cert on your server missing the subject name? I assume you have auto enrollment setup for certificates. Is your templates correct for Windows 7 devices? Use the link below to verify. Is IPSEC invovled in this? Windows firewall properly configured (if used)? NIC settings, Dial in settings on the AD Object, etc properly configured?   

    http://technet.microsoft.com/en-us/library/cc754198.aspx

    Friday, May 23, 2014 3:09 PM
  • If you have a windows 7 machine already working properly have you compared the 2 to see if there are differences?
    Friday, May 23, 2014 3:11 PM
  • Is the SSL Cert on your server missing the subject name -> no

    I assume you have auto enrollment setup for certificates. Is your templates correct for Windows 7 devices -> we dont have a CA inside our organisation. We are using a certificate generated by an external trusted authority

    firewall is off

    dial in settings are for users, and the problem is before the user authenticate on the NPS.

    reminder : 2 rules on the NPS :

    1-one authentication based on the computer + the computer must be inside a specific group (that's ok)

    2-One authentication based on the user + user must be inside a specific group

    it's buggin on the first rule

    Friday, May 23, 2014 3:18 PM
  • Have you tried exporting the computer certificate and importing it on the NPS server?
    Friday, May 23, 2014 3:26 PM
  • no, why should i do that ?
    Friday, May 23, 2014 3:30 PM
  • The computer is not able to be authenticated to the NPS server correct? Remember, Client computer certificate Issued to client computers by a CA and used when the client computer needs to prove its identity to a server running NPS during the authentication process.
    Friday, May 23, 2014 4:19 PM
  • Is there other Windows 7 workstations not having this issue?
    Friday, May 23, 2014 4:21 PM
  • Below is more information that may help.

    Could this be the issue? (link below)

    http://support.microsoft.com/kb/2494172

    Following are the best practices for client computer configuration: Automatically configure all of your domain member 802.1X client computers by using Group Policy. Automatically configure all of your domain member NAP-capable clients by importing NAP client configuration files into Group Policy.

    Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-MS-CHAP v2 Authentication:

    http://technet.microsoft.com/en-us/library/dd759176.aspx

    Friday, May 23, 2014 5:04 PM
  • Are you still having this issue?

    Wednesday, May 28, 2014 2:21 PM