locked
rras, nps and eap-tls RRS feed

  • Question

  • Good day!

    We're trying to deploy VPN schema using RRAS (2008R2SP1, l2tp), NPS and certificates as user authentication method

    RRAS server short name is RRAS. it is in domain (AD, domain.local)

    But we must use local (on RRAS) SAM database (not domain users) as user database

    We've change defaultdomain registry key to "RRAS" as shown in technet article (https://technet.microsoft.com/en-us/library/dd197452(v=ws.10).aspx)

    In NPS we've setup connection and network rules (nothing special, by default, only smartcard as eap auth method)

    In local SAM there is test user "user1"

    In test certificate in UPN we wrote "user1"

    But we have next error - Authentication failed due to a user credentials mismatch

    In windows security log we can see:

    User:
    Security ID: RRAS\user1
    Account Name: user1
    Account Domain: RRAS
    Fully Qualified Account Name: RRAS\user1

    It looks correct, isn't it?

    Also we tried UPN=rras\user1 - the same result

    When we use AD as user DB and UPN=user1@domain.local - it works correctly

    What we do wrong?

    Can we use non-domain usernames as UPN in certificates?

    How to map in certificate non-domain user?

    Thanks!


    • Edited by alivver12 Tuesday, January 27, 2015 11:40 AM
    Tuesday, January 27, 2015 11:38 AM

All replies

  • Hi,

    If the NPS server is not joined to a domain, NPS uses the SAM database by default.

    If the NPS server is a member server in an Active Directory domain, it is configured by default to use the Active Directory user accounts database. If you want to use the SAM database, related registry key(DefaultDomain) should be edited. Detailed information reference the link below:
    Configure NPS to Use the Security Accounts Manager Database
    https://technet.microsoft.com/en-us/library/cc771364(v=WS.10).aspx

    If the registry key above is configured and the problem still exits, could you please provide more information about the VPN architecture, such as devices and related service role installed.

    Best Regards,
    Eve Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, January 28, 2015 7:30 AM
  • Eve,

    yes, the registry key DefaultDomain is configured to RRAS (name of VPN server)

    detailed information was in first message

    VPN architecture consist of one server (RRAS and NPS role installed)

    On NPS we chose EAP auhentication method with smartcard or other certificate type only

    clients connect to RRAS using michine and user certificates

    IKE phase is compleated successfully

    But on user authentication phase described error is generated

    I repeat main questions:

    1. Can we use non-domain usernames as UPN in certificates?

    2. How to map non-domain user in certificate?

    Thanks!

    Thursday, January 29, 2015 2:18 PM