Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums

none
NPS Missing the Event 6273 and 6279

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I

    I have installed a Windows 2008 server (not R2) with Network Access Protection. Installed all updates including SP2.

    I'm using the NPS to Controll access to some network switches. When making a successfully login on the NAS box i receive the event 6272 and 6278 as expected in the security Event log.

    When making a failed attempt i however do not receive some similar events in the event log. And i want to have those event for trouble shooting reasons. I'm damm sure that i have configured the local policy to log both success and failed attempts.


    From the command prompt:

    C:\Users\Administrator>auditpol /get /subcategory:"Network Policy Server"
    System audit policy
    Category/Subcategory                      Setting
    Logon/Logoff
      Network Policy Server                   Success and Failure

    C:\Users\Administrator>

    Wednesday, December 30, 2009 1:43 PM
    |

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all,

     

    We too had been experiencing this issue with 2x Windows Server 2008 Enterprise SP2 x32 systems; NPS only logging successful and not failure events. We recently raised a support request with MS as we had lived with the issue for 9 months and it was getting beyond a joke... we now have a work around in place as follows. The issue is due to NPS not fully supporting Unicode character encoding and as such it will fail to log certain events (which contain non-unicode characters apparently) if the system locale is set to anything other than US English - being based in the United Kingdom, our system locale as set to UK English. MS have informed us that this work around is considered acceptable and it is unlikey that any further time will be invested in a permanent fix. We were concerned about the impact of changing the system locale however it does not appear to have caused any further issues - we're also running WINS and DHCP roles on this server.

     

    HTH,

     

    Tom Ranson

    Thursday, May 20, 2010 9:45 AM
    |

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you also verify the configuration in the NPS MMC (nps.mmc)?

    Right click the root node "NPS (Local)" and select "Properties". Ensure that both "Rejected authentication requests" and "Successful authentication requests" are selected.
    This TechNet forum post is provided "AS IS" with no warranties, and confers no rights. This entry reflects my own personal views and does not necessarily reflect the view of my employer.
    Thursday, December 31, 2009 9:42 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    I have now checked this. And yes both the "Rejected authentication requests and the "successful authentication requests" are selected.

    Monday, January 04, 2010 7:36 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Could you please check if you have configured the "Ping User-Name" at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters\ ?

    Thanks
    Qunshu

    Sorry. My posting is my personal suggestion, Microsoft won't take any responsibilities for my posting. But I am more than happy to try my best to help you.
    Monday, January 04, 2010 8:42 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Regedit export of the parameters:

    • Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters
    • Class Name:        <NO CLASS>
    • Last Write Time:   28-12-2009 - 09:10
    • Value 0
    •   Name:            Allow SNMP Set
    •   Type:            REG_DWORD
    •   Data:            0
    • Value 1
    •   Name:            ServiceDllUnloadOnStop
    •   Type:            REG_DWORD
    •   Data:            0x1
    • Value 2
    •   Name:            ServiceDll
    •   Type:            REG_EXPAND_SZ
    •   Data:            %SystemRoot%\System32\ias.dll

     There is no "Ping User Name". I'm not sure if you want me to add it, or to remove it.

     

    Tuesday, January 05, 2010 8:11 PM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote
    Hi,

    Have you tried using the set command again? Even though "get" showed that this is enabled, I've run across situations where it wasn't taking effect for some reason.

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

    http://support.microsoft.com/kb/951005
    Friday, January 15, 2010 5:11 AM
    |
    Owner
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi

    I also have this problem, on both my NPS servers. It's set to log both successful and failed authentications (as in Matt's email above) and the auditing policy has also been set as in Greg's. Twice, in fact. Still no event 6273s.

    It would also be useful to know if Microsoft have a parser for the log files - they at least have the failure details, but IASPARSE.EXE from RTK 2003 doesn't seem to like them

    Thanks for any suggestions

    Max
    MaxC
    Tuesday, February 02, 2010 5:24 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    This question is still not answered but has fallen off the first page of the forum so it may not be getting the attention needed.

    Please let me know if there is any further information about this issue. I will also try to summarize the current question and get an answer if possible, or move the question to another forum if it is not appropriate for the NAP forum.

    Greg Lindsay

    Friday, March 19, 2010 9:21 PM
    |
    Owner
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all,

     

    We too had been experiencing this issue with 2x Windows Server 2008 Enterprise SP2 x32 systems; NPS only logging successful and not failure events. We recently raised a support request with MS as we had lived with the issue for 9 months and it was getting beyond a joke... we now have a work around in place as follows. The issue is due to NPS not fully supporting Unicode character encoding and as such it will fail to log certain events (which contain non-unicode characters apparently) if the system locale is set to anything other than US English - being based in the United Kingdom, our system locale as set to UK English. MS have informed us that this work around is considered acceptable and it is unlikey that any further time will be invested in a permanent fix. We were concerned about the impact of changing the system locale however it does not appear to have caused any further issues - we're also running WINS and DHCP roles on this server.

     

    HTH,

     

    Tom Ranson

    Thursday, May 20, 2010 9:45 AM
    |