none
NPS 2016 not accepting UPN format for authentication RRS feed

  • Question

  • Hello,

    I have recently set up an NPS 2016 server for RADIUS authentication with our Check Point VPN server (RADIUS Client).

    I am not using an NPS Proxy server.  The NetBIOS domain name is different from the UPN suffix

    Users usually dial the vpn using the following formats:

    1.Username

    2.Domain\Username

    3. FirstName.Lastname@UPNSUFFIX.com

    The first scenario (USERNAME) worked out of the box with no additional configuration.

    The second scenario (Domain\USername) required some attribute manipulation namely the USername attribute, replacing (.*)\\(.*) with $2

    The issue i have is with the third scenario. UPN authentication is just not working which is required because i am integrating with O365 MFA.

    following instructions in another thread i added "^\w+\.\w+@upnsuffix\.com$" on the "User Name" dialog box in the policy conditions however it's Still not working.

    From my understanding UPN authentication should be accepted by default. 

    Any ideas on how to get the RADIUS Server to accept the UPN user name?

    Tuesday, August 6, 2019 12:44 PM

All replies

  • Hi,

    Yes, the radius supports UPN.

    I have test the regular expression and it is correct.

     i added "^\w+\.\w+@upnsuffix\.com$" on the "User Name" dialog box in the policy conditions

    The condition "User Name" only can be configured in connection request policy not in network policy.

    I am not using an NPS Proxy server.

    Considering you don't use proxy, the connection request policy is useless.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Wednesday, August 7, 2019 3:00 AM
    Moderator
  • Hello,

    "Considering you don't use proxy, the connection request policy is useless." i am not sure i understand this part.

    I have already modified the default policy to accept the Domain\Username  by modifying the USername attribute, replacing (.*)\\(.*) with $2 and that worked without having a Proxy server.

     i added "^\w+\.\w+@upnsuffix\.com$" on the "User Name" dialog box in the policy conditions but it's still not accepting the UPN format.

    Are you saying i need an NPS Proxy server?

    Thursday, August 8, 2019 8:11 AM
  • Hello,

    After enabling Auditing i found the following in the logs when using UPN to log in:

    User:
    Security ID: NULL SID
    Account Name: firstname.lastname@upnsuffix.com
    Account Domain: Domain
    Fully Qualified Account Name: Domain\Username

    Reason:Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect

    However when i login successfully using the Domain\USername format i receive the following:

    User:
    Security ID: Domain\Username
    Account Name: Username
    Account Domain: Domain
    Fully Qualified Account Name: OU/OU/FirstName LastNAme

    Thursday, August 8, 2019 8:29 AM
  • Hi,

    Are you sure the UPN is correct?

    Please check the UPN of the account in ADUC.

    From the logs, I see that there is no "."between FirstName and LastNAme.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, August 8, 2019 8:43 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 19, 2019 5:56 AM
    Moderator
  • Hello Travis,

    Unfortunately the issue still persists. The UPN is correct. 

    Below is the log for the failed request without any regular expressions, the fully qualified account name is correct:

    Log Name:      Security

    Source:        Microsoft-Windows-Security-Auditing

    Date:          8/8/2019 12:22:40 PM

    Event ID:      6273

    Task Category: Network Policy Server

    Level:         Information

    Keywords:      Audit Failure

    User:          N/A

    Computer:      nps01.corp.xyz.com

    Description:

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

                   Security ID:                                       NULL SID

                   Account Name:                                mohamed.saeed@xyz.com

                   Account Domain:                                           CORP

                   Fully Qualified Account Name:    CORP\MSaeed

    Client Machine:

                   Security ID:                                       NULL SID

                   Account Name:                                -

                   Fully Qualified Account Name:    -

                   Called Station Identifier:                              -

                   Calling Station Identifier:                             -

    NAS:

                   NAS IPv4 Address:                           192.168.0.3

                   NAS IPv6 Address:                           -

                   NAS Identifier:                                 -

                   NAS Port-Type:                                -

                   NAS Port:                                          -

    RADIUS Client:

                   Client Friendly Name:                    Checkpoint VPN server

                   Client IP Address:                                           192.168.0.3

    Authentication Details:

                   Connection Request Policy Name:            Use Windows authentication for all users

                   Network Policy Name:                   -

                   Authentication Provider:                              Windows

                   Authentication Server:                  NPS01.corp.xyz.com

                   Authentication Type:                     MS-CHAPv2

                   EAP Type:                                          -

                   Account Session Identifier:                          -

                   Logging Results:                              Accounting information was written to the local log file.

                   Reason Code:                                   16

                   Reason:                                             Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    Monday, August 19, 2019 7:35 AM
  • below is the successful connection log for the same policy when logging using Corp\MSaeed:

    Log Name:      Security

    Source:        Microsoft-Windows-Security-Auditing

    Date:          8/8/2019 12:20:51 PM

    Event ID:      6272

    Task Category: Network Policy Server

    Level:         Information

    Keywords:      Audit Success

    User:          N/A

    Computer:      NPS01.corp.xyz.com

    Description:

    Network Policy Server granted access to a user.

    User:

                   Security ID:                                       CORP\MSaeed

                   Account Name:                                MSaeed

                   Account Domain:                                           CORP

                   Fully Qualified Account Name:    corp.xyz.com/XYZ/Enterprise IT/Mohamed Saeed

    Client Machine:

                   Security ID:                                       NULL SID

                   Account Name:                                -

                   Fully Qualified Account Name:    -

                   Called Station Identifier:                              -

                   Calling Station Identifier:                             -

    NAS:

                   NAS IPv4 Address:                           192.168.0.3

                   NAS IPv6 Address:                           -

                   NAS Identifier:                                 -

                   NAS Port-Type:                                -

                   NAS Port:                                          -

    RADIUS Client:

                   Client Friendly Name:                    Checkpoint VPN server

                   Client IP Address:                                           192.168.0.3

    Authentication Details:

                   Connection Request Policy Name:            Use Windows authentication for all users

                   Network Policy Name:                   CheckPoint VPN

                   Authentication Provider:                              Windows

                   Authentication Server:                  NPS01.corp.xyz.com

                   Authentication Type:                     MS-CHAPv2

                   EAP Type:                                          -

                   Account Session Identifier:                          -

                   Logging Results:                               Accounting information was written to the local log file.

    I have noticed that the Fully Qualified Account Name has the OU/CN structure as well

    Monday, August 19, 2019 7:40 AM
  • Hi,

    I noticed that the mohamed.saeed@xyz.com is xyz.com domain and corp.xyz.com/XYZ/Enterprise IT/Mohamed Saeed is corp.xyz.com domain.

    Is there a subdomain? You can check the UPN in ADUC.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 19, 2019 8:48 AM
    Moderator
  • Hello,

    Yes the UPN suffix (xyz.com) is different from the domain suffix (corp.xyz.com).

    Is there additional configuration on NPS to get this to work?

    Wednesday, September 4, 2019 3:02 PM