none
EventID:6273 Audit Failure On Computer Account RRS feed

  • Question

  • I have recently installed a Radius Server with NPS in a DC in order to provide Radius Authentication for my corporate wireless. It works fine so far, but sometimes I get an event 6273 like "Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.". The point is, these events are always related to a computer account like domain\pc-name$ and always followed by a 6272 Success for the doomain user account of the same computer. What is wrong with this computer? First of all, why shall the coputer try to authenticate to the network, it is about the users.

    My NPS settings are configured anyway to ignore user account dial-in properties. And however, both user and computer account have dial-in properties set to controll access through NPS policy.

    Can anyone explain this 6273 failures?

    kind regards,

    Dieter

    Tuesday, May 14, 2019 9:37 AM

Answers

All replies

  • Hi,

    This error might be caused by one of the following conditions:

    • The user does not have valid credentials
    • The connection method is not allowed by network policy
    • The network access server is under attack
    • NPS does not have access to the user account database on the domain controller
    • NPS log files or the SQL Server database are not available 

    Please refer to the link for the resolution:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v=ws.10) 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 15, 2019 1:50 AM
    Moderator
  • As these failures naming a computer account, are always followed by a success of the correct  corresponding user, I assume that the windows pc itself also tries to authenticte, or something?

    From the list above the only topic might be "The connection method is not allowed by network policy" - because it are computer accounts and I am only dealing with user groups, e.g. users.

    Any idea why computer accounts get in?

    Thursday, May 16, 2019 7:21 AM
  • Hi,

    Was there a computer account record in NPS logs? Or a audit record in event viewer?

    How did you configure the conditions in NPS policy? You should use AD user group.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 17, 2019 8:11 AM
    Moderator
  • it is an audit failure record in Event Log, see below:

    And I have configured NPS for AD User Group, I wonder why computer accounts also attempt to loginto the network. As I said, it is always followed by a suscessfull user account login for the right user of that computer.

    Friday, May 17, 2019 8:46 AM
  • Hi,

    How did you configure the authentication mode on the computer? Both user and computer authentication?

    Specifying-the-authentication-mode-for-802.1X-authentication-in-Windows-10 Configure Windows 10 for 802.1X User Authentication

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 17, 2019 9:48 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 21, 2019 6:20 AM
    Moderator
  • Ok, you brought me on the right track. My settings re. 802.1x auth are default, and default means computer or user, right? I have now added an additional network policy which also allows domain computers to authenticate. And now, if it is a domain computer, I don't even need to authenticate with user/password, cool.

    But I have not found where I can configure the 802.1x auth mode for wireless connections, can you assist with this?

    I just found that if Wired AutoConfig Service is not running on a pc, Authentication tab on wired nics is not present. But if this runs, I still have no authenticatoin tab on wireless nics. While WLAN AutoConfig service runs, but I do not see where to control authentication mode regarded.

    kind regards,

    Dieter Tontsch

    Tuesday, May 21, 2019 8:56 AM
  • Hi,

    Thanks for your replay.

    Yes, the default setting of 802.1x authentication is user authentication.

    For your reference:

    http://sites.miis.edu/kb/2015/08/28/how-to-manually-connect-to-wi-fi-on-windows-10/ 

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 21, 2019 9:10 AM
    Moderator
  • Found a similar post jsut minutes ago https://www.uwsp.edu/infotech/Pages/Tutorials/Wireless/Windows-10-Wireless-Setup.aspx, but thanks.

    This cannot be controlled via GPO?

    Tuesday, May 21, 2019 9:13 AM
  • Hi,

    Yes, of course.

    Deploy-Wireless-Network-using-Group-Policy

    For your reference:

    https://dailysysadmin.com/KB/Article/714/create-a-group-policy-to-deploy-a-company-wireless-access-point/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 21, 2019 9:23 AM
    Moderator