Quantcast
Viewing all 1875 articles
Browse latest View live

Certificate Disappears from NPS' Constraints

November 21, 2013, 11:38 pm
$
0
0

Good evening all, I've successfully got the NPS setup with my Draytek 2920 router for 802.1x authentication for wireless clients. Only problem is that the certificate that I created keeps disappearing from the "Certificate issued" list for the"Microsoft Protected EAP (PEAP)" and have to issue new certificates for it to show it again. The certificate is good for 1 year but keeps disappearing after 1 day. The kicker? It's still shows my old certificates in what's been issued. So I've been banging my head over this for some time. Any tips or clues of where I can find out why this keeps happening?

Thank you for all your help.

Windows Server 2008 R2 Enterprise SP1
Roles Installed: AD CS (as Enterprise), AD DC, DNS Server (standard for AD DC), File Services, and NPS


Search

The security database on the server does not have a computer account for this workstation trust relationship

November 23, 2013, 6:21 am
$
0
0

Dear Team,

     If i post wrong place please sorry for that. Please move to correct forum.

I'm using Hyper-V for testing purpose. One of my workstation gave me this error "The security database on the server does not have a computer account for this workstation trust relationship" when i log in. A few day ago i can use that pc. Before i post here i read

http://portal.sivarajan.com/2010/05/workstation-trust-relationship-issue.html

http://www.computerbusinessconsultants.com/solved-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship/

http://virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship/

I changed to workstation and delete at domain and rejoin again. But still cannot log in to my virtual PC.

Image may be NSFW.
Clik here to view.

Workstation Info.

Computer name : CRMSRV

Full computer name : CRMSRV.yukon.ts

Domain : yukon.ts

SPN on Domain

Image may be NSFW.
Clik here to view.

Server Info:

Window 2008 R2 SP1 (Workstation and Domain)

I hope someone can be help to me.

Best Regards,

Yukon

Make Simple & Easy

Help with setting up a radius server for BYOD devices

November 23, 2013, 12:16 pm
$
0
0

I have setup a RADIUS server with server 2012 r2 following this guide.

https://www.youtube.com/watch?v=lWUs9pwUcuc

Its a little hard to understand his accent but I get the gist of it from what he's doing on screen.

The only difference is that i chose to not use certificates since i would like my iphone and laptop that is not on the domain to be able to connect using my network username and password. (simulating BYOD) So I chose to use EAP-MSCHAP v2 (which doesnt require a client cert?) I do have a CA on another server just in case I need it. I'm currently using it for SSL WSUS.  I am using a Cisco e4200 dual band wifi router which does support WPA Enterprise.  I am using windows 8.1 on my laptop and ios 7 on my iphone 5. I did not manually create a profile like you see in the video because I would like it to work just entering in my network credentails like you would for a typical BYOD device and phone.

When I try to connect using my domain username and password on either my laptop or iphone it fails to connect and I am not sure why. Since its using 802.1x do I need switches that support 802.1x? I just have a dumb switch at the moment just a typical 8 port dlink gigabit consumer grade switch. Overall it seems fairly simple to get this setup and working but I must be missing something since I cant seem to connect.

Any ideas on how to use RADIUS in server 2012 r2 to connect to a typical wifi router which does support wpa2 enterprise and then getting my iphone and laptop which are not domain joined to connect as BYOD devices?

Thanks!


GPO processing - NETLOGON 5719 errors

November 26, 2013, 2:23 am
$
0
0

Hi,

I have setup a corporate wireless connection using NPS to authenticate the computer and user connection.  The problem I now see is when my laptop boots it does not process the GPO's prior to user logon.  I get NETLOGON 5719 error on the laptop just before the NPS connection is registered in the log.  This morning for example the 5719 error occured at 08:31:36 and the NPS connection was registered and authenticated at 08:31:37.

I have tried various fixes from these two links:

http://support.microsoft.com/kb/938449/en-us

Event ID 5719 is logged when you start a computer

(Tried Resolution 2 and 3)

http://support.microsoft.com/?kbid=2459530

Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used

The second article applies as the wireless is configured to obtain an IP address from the Sonicwall firewall rather than the Win2K8R2 DHCP server which serves the LAN.  There are no problems with this error for the LAN clients.

This is not down to routing and firewall issues between the Sonicwall and the LAN, it only occurs during the initial startup of the laptop where it needs to locate and authenticate with the domain (via NPS) and process GPO's.

Does anyone have experience of this issue and how was it fixed please?

Chris

2012 Radius and NPS - EAP Error

November 25, 2013, 9:52 am
$
0
0

I'm having trouble getting Radius working. I am not very familiar with setting up Radius in general. We have a certificate from a Root CA we want to apply and I believe I have applied it.  When a client goes to login they're getting this error:

Authentication Details:
Connection Request Policy Name:Secure Wireless Connections
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:server.mydomain.local
Authentication Type:EAP
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

The client is a Windows 8 Enterprise. The server is 2012. Our wireless vendor is Ruckus.

Built in Administrator Account

November 26, 2013, 5:34 am

RIP source address of RRAS

October 12, 2013, 9:11 pm
$
0
0

I have a WS 2008R2 RRAS server running both NAT and RIP. Sometimes, a RIP peer will not receive any response at all.

Capturing the packets showed that the RRAS server sent the packet using (incorrectly) the IP of the public interface of NAT but through the correct private interface. These are two separated interfaces, so I do not understand how this is possible.

Also, this only seems to happen if a neighbor list is used instead of broadcast/multi-cat. If I enabled broadcasting with the neighbor list, then the correct source IP with be chosen for both kinds of packets.

NPS Windows 7 clients can't connect | iPhone connects!

January 4, 2012, 3:07 pm
$
0
0

Server 2008 R2 (RDS, NPS)
Access point: WRT54GL
Using a wildcard certificate

Ironically, my iPhone 4 connects to the wireless network just fine! I logged in w/ my domain credentials and then I had to accept the wildcard certificate we use, and bam, in on the corporate network using domain credentials.

However, I can't get our Windows 7 machines to connect.

With the current settings, the connection request generates 2 error messages in the Event Viewer - 1 for the computer and 1 for the user attempting to authenticate - both of which say: "Network Policy Server denied access to a user... The message received was unexpected or badly formatted."

I've tried creating a wireless profile on the laptop - and not validating certificates = no go.

The EAP service is running on the laptop.

The NAP service was NOT running on the laptop. I started it. Didn't affect anything.

I read that import certifcates on the client might be necessary... That doesn't sound right. I don't want to have to touch each client - or even apply through GPO.. Is this even relevant?

I have received other error messages in the past when I was tinkering with different connection and network policy settings. But this is where I’m at now.

Help!? Thanks!


Search

EAP-PEAP-MSCHAPv2 Realm Stripping in Windows 2012

November 27, 2013, 5:56 am
$
0
0

In the NPS server Windows 2012 I have a regular expresion that change the user-name attribute from login@domain.es to login@subdomain.domain.es, the regular expression works fine, but finally the connection is rejected because continues using login@domain.es

IAS_AUTH_FAILURE

this works on windows 2003

No AUTHORIZATION extensions, NPS Radius Server

November 28, 2013, 3:44 pm
$
0
0

Hi All

I have an issue setting up Radius Server to authenticate users for Wireless Network Access. The NPS server is installed on our DC ( Windows 2008 R2 SP1). I'm using a Windows 7 client to connect to the Server. The errors I have in the IAS logs are:

[2528] 11-29 10:32:41:110: NT-SAM Names handler received request with user identity ad\testradius.
[2528] 11-29 10:32:41:110: Username is already an NT4 account name.
[2528] 11-29 10:32:41:110: SAM-Account-Name is "AD\testradius".
[2528] 11-29 10:32:41:110: Successfully created new RAP Based EAP session for user AD\testradius.
[2528] 11-29 10:32:41:110: No AUTHENTICATION extensions, continuing
[2528] 11-29 10:32:41:110: NT-SAM Authentication handler received request for AD\testradius.
[2528] 11-29 10:32:41:110: Validating windows user account AD\testradius
[2528] 11-29 10:32:41:110: Sending LDAP search to DC2.
[2528] 11-29 10:32:41:110: Successfully validated windows account AD\testradius.
[2528] 11-29 10:32:41:110: Allowed EAP type: 25
[2528] 11-29 10:32:41:110: Succesfully created EAP Host session with session id 35
[2528] 11-29 10:32:41:110: Processing output from EAP: action:1
[2528] 11-29 10:32:41:110: Inserting outbound EAP-Message of length 6.
[2528] 11-29 10:32:41:110: Issuing Access-Challenge.
[2528] 11-29 10:32:41:110: No AUTHORIZATION extensions, continuing

I followed the article on TechNet on setting up extension DLL.

I get following errors after I completed registry edit:

System\CurrentControlSet\Services\AuthSrv\Parameters doesn't exist; no extensions loaded.
 No Authentication extensions!
Initializing LDAP.
The registry value BackendServerTimeout does not exist. Using default 2
Loading AuthorizationDLLs
System\CurrentControlSet\Services\AuthSrv\Parameters doesn't exist; no extensions loaded.
No Authorization extensions!

I have removed NPS ( including the isa.xml file) role, and reinstalled it, exactly the same issue.

Thanks for reading and assisting me.

RADIUS Limitations

November 29, 2013, 5:20 am
$
0
0

Hello Guys,

I have made a RADIUS server for my WiFi. Is there a way to configure how much devices you can connect with 1 account? I would like to set the maximum devices per user to 3.

Sorry for my bad english,

Greats,

Ruben

server 2008 R2 will not connect to aircard 760s

November 29, 2013, 2:17 pm
$
0
0

Hi all

I have a hp ml350 running windows 2008 R2. for some reason i can not get the server to see my aircard 760s modem.

i am connecting thou the USB.

on connecting the modem a window pops up in the bottom right hand saying drivers being installed and trulink being installed then device is ready to use. that's it. the modem cannot be found.

under device manager found 4 entries for ac760s with yellow warning markers on them. Removed them and when i reconnected the modem and checked deviced manager found 5 entries for the modem. on checking on driver found.???

Any ideas as the same modem install and runs well on windows 7 64

Help

Richard C

PPTP VPN Error 619

November 30, 2013, 7:58 am
$
0
0

Ive recently been having problems with my users not being able to connect to our domain PPTP VPN (running on Server 2008 R2).

It was configured about 2 years ago and has been working great! Now for some reason its just stopped working, nothing has been changed on the server (to my knowledge) and doesnt happen on all client machines.

My macbook (just running Mac OSX) connects fine

It doesnt seem to follow any pattern (Generally all using Win 7) it seems almost 50/50 as to who can connect.

Do you have any ideas?

  • Ive tried using an online port checker and both ports 1723 and 47 are open. (I assumed they would or none of the computers would be able to connect)
  • Ive tried diabling firewalls / installing different ones too.
  • Disabled IPv6
  • Set security method to PPTP (was working on Auto before)
  • Looked in 'C:|windows\system32\logfiles' to see if the connection was being refused but only successful ones are being made.
  • No mention in the event viewer (Network Policy and Access Services) - i assume there isnt another?

As mentioned in the title they get error 619 (A connection to the remote connection couldnot be established, so the port used for this connection was closed.)

Any help would be greatly appreciated! Thanks.

NAP and Sleep Mode

December 2, 2013, 9:50 pm
$
0
0

Dear All,

I implemented DHCP-NAP-Enforcement in my Environment and it is working perfectly.but i have a problem is that when Compliant Computers access the network and then goes into sleep mode, when they wakeup i see that they are assigned the full mask 255.255.255.255 and I have to restart the NAP Service to obtain the Default Mask, Checked event viewer and i found this error happens during this scenario

An error occurred when DHPQEC tried to renew DHCP lease in the adapter {9b5cb0da-2416-40b1-bcfa-1f95a8389c15}. Error code is 0x79

DHCP server: Windows 2008r2

Client: Windows7 SP1

NPS Server: Windows 2008 R2

NAP with IPSec for Unix Servers

December 2, 2013, 10:26 pm
$
0
0

Hi All, 

We have configured the following Group Policies as per TechNet Article:Configure IPSec GPOs (http://technet.microsoft.com/en-us/library/dd314176(v=ws.10).aspx)

Three Group Policy objects (GPOs) are used to apply IPSec policies:

  • There will be an IPSec boundary GPO for computers with NAP exemption certificates that request, but do not require, that incoming communications are authenticated with a health certificate.
  • There will be a Windows 7 IPSec secure GPO for computers running the Windows 7 or Windows Server® 2008 operating system. The secure GPOs will require that incoming communications are authenticated with a health certificate.
  • There will be a XP IPSec secure GPO for computers running Windows XP with Service Pack 3. The secure GPOs will require that incoming communications are authenticated with a health certificate.

My question is to access Unix Servers in environment. How can I put the Unix Servers in boundary Network/Secure Network? Do I need to install NAP Exemption Certificate or in there any other way? Windows machine is trying to connect to Unix Servers by using putty.

 Thanks & Regards,

Kedar

Thanks & Regards, Kedar

Search

how can i put on my folder access control. . . .

December 2, 2013, 4:07 am
$
0
0

i joined a new office as system administrator, we have a very few systems connected to my WINDOWS SERVER 2008 R2!!

i am unable to control the folder access  control. i mean to say  , the  folder must have read option to few systems write option to few systems. . .  can any1 suggest me step by step process to make my networ to use the files and folder data effectively!! thanq

 REGARDS.... 

RAS VPN for Domain Users

December 2, 2013, 4:37 am
$
0
0

Hi All,

I have setup a test lab at home and have a AD as well on my Windows 8 Hyper V. My RAS server is a Windows 2008 Server VM. The problem is, when I try to connect VPN and the server is in the domain, it does not accept credentials and keeps popping the window. but when i remove is from domain it works fine. My clients are Windows 8 Machines.

Any help here please?

Mateen Fugawala

Is wireless NIC working on DHCP Enforcement NAP Client?

December 3, 2013, 7:49 pm
$
0
0

Hi all

There is my environment:

DHCP Server: Windows 2010(NAP on)

NAP Server: Windows2010

DHCP NAP Enforcement Client: Windows 7(a note PC with both lan NIC and wireless NIC)

Wireless AP(no routing)

Now.

It works well when I use the client lan NIC for requesting a IP.

But it does not work when I use the client wireless NIC for requesting a IP through the AP.

From my examintaion the SoH info(option 43) was not sent in dhcp request packet from wireless NIC that was different from lan NIC(SoH info in dhcp request packet)

My question:

Is there any way to make a wireless NIC working on DHCP NAP Enforcement Client. I think it's necessary for the client which only has wireless NIC such as Surface.


Windows XP PEAP authentication fails

February 28, 2011, 2:07 am
$
0
0

Hello,

I am trying to make a client computer authenticate with domain credentials to the NPS for wireless network auth. The logs of the NPS server only shows authentication attempts with the computer name. Our setup:

Client: Windows XP SP3, wireless networks managed by wzcsvc

The client tries to connect to a wireless network, controlled by a Cisco Wlan Controller. This controller is configured to use the NPS server as Radius.

NPS and AD server: Windows 2008 R2

I tried the following without any results:

  • setting the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode to 0 and 1
  • disabling our GPO on the specific laptop and domain user logged on to the laptop


If I adapt the NPS policy for computer authentication, everything works and access is granted but if I specify a domain user group, the authentication fails.
I have the impression the wzc tool is a bit buggy, from time to time the NPS logs do not report authentication attempts anymore. After a net stop/start wzcsvc, it works again. I looked around on alot of fora and Microsoft articles but I really can't find what the problem is. Any suggestions?

Thanks!

MAC ADDRESS FILTERING WITH WINDOWS SERVER 2008 r2

January 27, 2012, 11:11 pm
$
0
0
I'm very beginner to the Windows server 2008 r2. I need some tutorials how to achieve MAC ADDRESS FILTERING in windows server 2008 r2. I tried configuring it with DHCP server but i couldn't able to configure it. so kindly help me with some tutorials how to do MAC ADDRESS FILTERING.... i need tutorials for baby..thank you in advance.
Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>