Can't create new SHV configs in 2012 R2

August 31, 2014, 12:17 pm

≫ Next: After Installing Oracle Virtual Box and changing the network adapter to bridged mode cant access my server

Hello all,

I'm trying to set up NPS in a lab environment to practice for the 70-417 upgrade exam, but am finding it near impossible to create additional configurations for the Windows SHV. I can get as far as right-clicking Settings > Select New > enter a configuration friendly name, but no further. As soon as I click OK the friendly name window closes and nothing else happens, apart from"Action: Completed successfully" appearing in the status bar.

The SHV policy settings window never appears, and I still have only the Default Configuration listed in the center pane. (I *can* edit the default config without problems.) This happens with both the 180-day trial and the full TechNet ISOs, regardless if the system is completely stock or fully patched. Annoyingly, nothing is being written to a log as far as I can tell in procmon.

A positive workaround is to use a 2008 R2 box to connect via remote MMC snap-in and make new configs from there, but I'd like to know if there's any solutions when working with a pure 2012 R2 environment.

Many thanks,
-Scott

Do it right.

↧

After Installing Oracle Virtual Box and changing the network adapter to bridged mode cant access my server

September 1, 2014, 9:35 am

≫ Next: SHV ID : 79856 Can not create validator

≪ Previous: Can't create new SHV configs in 2012 R2

Hi ,

I have installed Oracle Virtual box on windows server 2008 r2 hosted on 1und1.de.

Till installtion and setting up untun on virtualbox it was fine, but once i changed the adapater to bridged mode. I immediatly lost connectivity with my server and now cant access.

It is now 2 days i cant access my server and neither ping it, also the website hosted on it is also down.

The 1und1 has following 2 options

1) using putty i can connect to server command prompt using administrator but cant run any gui application

2) Server Rescue mode: where i get special environment to start, stop services, access registry and command prompt.

Till now i have tried lot of setting to enable network connectivity but not able to success

This is the result of Ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : s15453760
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter VirtualBox Host-Only Network:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-00-04-FD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5d5c:5bbc:c61:e9b1%16(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.233.177(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 352845863
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-B9-51-EA-00-19-99-A5-E7-BE
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{BBF9AA14-45EA-460C-8F23-E106D890D878}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

How can i restore my connection.

Thanks

↧

SHV ID : 79856 Can not create validator

September 3, 2014, 3:39 am

≫ Next: DHCP NAP manually assign IP

≪ Previous: After Installing Oracle Virtual Box and changing the network adapter to bridged mode cant access my server

I have implemented SdkSha and SdkSHV from windows netds samples.

The NPS is configured on 64 bit Windows 2008 Server R2 operating system.

When I added SHV.dll by regsvr32 command , the SHV was added to system health validators list on nps console and The SHV UI is displayed correctly

but this error : " SHV ID : 79856 Can not create validator"

was showed in NAP Server Events and my SHV and SHA couldn't communicate with each other.

Does anyone know what to do?

Thanks,

npsdev

↧

DHCP NAP manually assign IP

September 4, 2014, 7:32 am

≫ Next: Matching on client certificate fields in conditions

≪ Previous: SHV ID : 79856 Can not create validator

Hey guys,

my question of concern is - I have chosen NAP to protect us from wave of unprotected computers connecting to our network. And I would like to be able to assign IP address and network connection to each computer that passes helath checks. But what if computer will have IP address manually assigned(not bu DHCP) and wont pass health checks? As well is that possible to get different IP addresses to computers compliant and not compliant, like from different scopes?

Cheers

Aggie

↧

Matching on client certificate fields in conditions

September 8, 2014, 9:52 am

≫ Next: Routinely iis error 403 13

≪ Previous: DHCP NAP manually assign IP

I`d like to rollout certificates to BYOD devices with the mac address from the device in the CN field.
Is it possible in NPS/NAP to compare the Calling-station-ID radius field with the value of the CN field from the client certificate?
This way I`m able to restrict the certificate to just one device.

Thanks in advance.

Joeri

↧

Routinely iis error 403 13

September 9, 2014, 5:45 am

≫ Next: network credentials disabled in window server r2 domain

≪ Previous: Matching on client certificate fields in conditions

Hello,
We have a Windows Server 2008 R2 with iis 7.5 with some app pools running.
Every 4 days (exactly) we get 403 13 errors in our iis log and all client connections are refused.
The only way to solve that problem is to reboot the server.
The problem seems to be in the used certificate. There is an OCSP that is not reachable all the time.
But why is it running exactly 4 days after the reboot? Does somebody know if there is a undocumented timeout if the OCSP is not reachable?
Does anybody have a hint, where we can start further investigations?
Thank you very much in advance.

Best regards,
Matthias

↧

network credentials disabled in window server r2 domain

September 11, 2014, 4:54 pm

≫ Next: NPS service installation Failing

≪ Previous: Routinely iis error 403 13

Dear all,I have a problem in window server 2008 r2 domain enterprise edition. The problem is when I connect to any server from a work group pc I have to enter the domain or administrator user name and password to access the user's shared files after network credentials authentication. Now in a server this network credentials is disabled for an unknown reason and when I access the server I can see all shared files without log in credentials but I can only access the folder shared to everyone. now I need a solution to enable network credentials (password protect sharing in window 7) for users so I can reach every user's shared file by his own domain username and password.

Thank You

Anthony

↧

NPS service installation Failing

September 12, 2014, 9:20 am

≫ Next: 802.1X EAP-TLS User Certificate Errors

≪ Previous: network credentials disabled in window server r2 domain

Hi,

We are trying to install NPS service on the Windows 2008 R2 Server and it is failing with error " Network Policy Server Installation Failed" and it asks to reboot the Server. We have tried the following solutions but no help

Tried installing other role to check if the issue is with NPS or Server MAnager. Other roles are getting installed properly
Removed the ias folder from %Windir%\System32\
Checked the registry value of NT AUTHORITY\NETWORK SERVICE and found it to be 1
Event Viewer is showing the error that NPS service start failed
Tried installing through Powershell and Command Line

None of the above solutions worked. Please suggest

↧

802.1X EAP-TLS User Certificate Errors

June 4, 2012, 8:51 am

≫ Next: NPS access and failed logs not generating

≪ Previous: NPS service installation Failing

I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers). I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer Authentication. However, when authentication mode is set to "User or Computer" or just "User" it fails. I get a "certificate is required to connect" pop up and it's unable to connect.

No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see. It seems as if there is a problem with the client certificate:

[236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
[236] 06-04 09:26:35:720: Self Signed Certificates will not be selected.
[236] 06-04 09:26:35:720: EAP-TLS will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
[236] 06-04 09:26:35:720: PEAP will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
[236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090014
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
[236] 06-04 09:26:35:720: No Certs were found in the Certificate Store. (A cert was needed for the following purpose: UserAuth) Aborting search for certificates.

Also, in the event viewer I get the following:

Wireless 802.1x authentication failed.

Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
Local MAC Address: C4:17:FE:48:F2:79
Network SSID: *****
BSS Type: Infrastructure
Peer MAC Address: 00:12:17:01:F7:2F
Identity: NULL
User: presentation
Domain: ****
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420100
EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.

I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS. I modified the "Subject Name" to "Build from Active Directory information". "Subject Name Format" is set to "Fully Distinguished Name" and "User Principal Name (UPN) is checked. All other boxes are cleared. I verified that certificates for both user, computer , and root CA are all correctly auto enrolled. I also verified that the user certificate exists in the "Personal" user certificate store on the client.

There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything. Please help!

↧

NPS access and failed logs not generating

September 15, 2014, 4:29 am

≫ Next: share folder permission

≪ Previous: 802.1X EAP-TLS User Certificate Errors

Hi,

We have windows server 2008r2 with DC and we have integrated WLC with DC with the help of RADIUS server. Two days before we have enabled Audit Policy for Account, Directory and object changes with success and failure. After these changes NPS access and failed logs not generated on RADIUS server, before 2 days logs generated. Now only 4400 event ID generated on server. Users are accessing Wireless network. So please help me.

Thanks, Manish

↧

share folder permission

September 16, 2014, 12:03 am

≫ Next: Windows server 2008 R2 Access files from anywhere

≪ Previous: NPS access and failed logs not generating

Hello ,

i have file server in my company i need to grant some users

add and rename subfolders and edit file but cannot delete (folders or subfolders or file )

how to do this ?

thanks

↧

Windows server 2008 R2 Access files from anywhere

September 16, 2014, 9:11 pm

≫ Next: NPS server network policy settings.

≪ Previous: share folder permission

I want to make windows server 2008 R2 access from anywhere. I will install window server. It will basically be a file server and I want to access it from anywhere. Can you provide some steps that should be done . there is need to have a public IP or without public IP it can be done?
Thanks in advance.

↧

NPS server network policy settings.

September 16, 2014, 11:02 pm

≫ Next: NPS Discarding RADIUS request from Cisco switch (802.1x)

≪ Previous: Windows server 2008 R2 Access files from anywhere

Hello, in my domain environment, alone WINDOWS2008R2 build a NPS server is responsible for 802.1X authentication, has been basically successful. However, configuring the network Group Policy, found restrictions on the authentication object only "or" this relationship, there is no "both" This multi-logic relationships. And does not find the relevant documentation to reference. Does the IAS can be set similar to the previous "both" This multi-logic relations in NPS network Group Policy do? Or is there an alternative to it?

↧

NPS Discarding RADIUS request from Cisco switch (802.1x)

July 11, 2014, 5:56 am

≫ Next: The trust relationship error (domain client PC)

≪ Previous: NPS server network policy settings.

Last few weeks I've been busy to get the following to work:

- Cisco 2960 switch as the suppliant
- Another Cisco 2960 as the authenticator switch
- The supplicant is only able to send MS-EAP MS-ChapV2 requests
- The NPS server is Windows 2008 R2 (and also tested on 2012 R2)

This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html) but I'd like to get it to work with Windows NPS.

Within NPS I've setup the following Connection Request policy:
- NAS Port Type: Ethernet

I'm using the following Network Policy:
- User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
- NAS Port Type: Ethernet
- Autehntcation Type: EAP

Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):

User:
	Account Name:			Rotterdam-Switch-8-1
	Account Domain:			DOMAIN

Authentication Details:
	Connection Request Policy Name:	Secure Wired Connections
	Network Policy Name:		Switches Allowed
	Authentication Provider:	Windows
	Authentication Server:		SERVER.DOMAIN.local
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:	-
	Reason Code:			1
	Reason:				An internal error occurred. Check the system event log for additional information.

Wireshark on the NPS server shows:
1. The RADIUS Access-Request (1) being received by the NPS Server
2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
3. Another RADIUS Access-Request (1) is beging received by the NPS Server

Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)

I've also tried the following:
- I've also tested with an invalid username/password. The request is correctly denied
- I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.

Any help would be greatly appriciated ofcourse.

Kind regards,
Peter

↧

The trust relationship error (domain client PC)

September 19, 2014, 7:50 am

≫ Next: Public Certificate for NPS/NAP?

≪ Previous: NPS Discarding RADIUS request from Cisco switch (802.1x)

Hy all!

We have a problem, one of our clients. " trust relationship between this workstation and primary domain failed." Its a Windows server 2012 environment.

We found many solution that writes "exit the client from the domain, and then rejoin", but are there any permanent solution, which working and does not need to exit the client from the domain?

↧

Public Certificate for NPS/NAP?

December 9, 2011, 2:45 pm

≫ Next: Restrict Systems

≪ Previous: The trust relationship error (domain client PC)

Ok I am trying to get NPS setup that will be used for guests to access the Internet but still require a login on our network using PEAP. I got a trial certificate from GeoTrust/RapidSSL/FreeSSL and it only offers "Digital Signature, Key Encipherment (a0)" but NPS requires a certificate with "Data Encipherment". I have not found ANY public CA that issue this type of certificate so if Microsoft requires this for PEAP where am I to get a valid certificate for this?

I have check Verisign, and GoDaddy and all of them only offer "Key Encipherment".

↧

Restrict Systems

September 19, 2014, 11:05 pm

≫ Next: Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2

≪ Previous: Public Certificate for NPS/NAP?

How to restrict Windows 7 systems accessing a shared folder in a Microsoft Windows Server 2003 system.

Please note that both the systems are connected in the same network and there is no domain created in the 2003 server and hence all the Windows 7 systems as well as Microsoft Windows Server 2003 system are just connected in the network via LAN.

↧

Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2

April 21, 2011, 7:33 am

≫ Next: NPS on Windows server 2008 issue

≪ Previous: Restrict Systems

I'm a little new to the Domain Admins group so excuse me if I'm not familiar with all of the terms. My current problem is this.

I have a brand new Cisco WLC with all brand new WAPs. I'm trying to setup WPA2-Enterprise using PEAP. I started off by following step by step of this implementation: http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html

I think I'm extremely close to having this working, but I have not found a resolution yet. I've searched all over the internet and have still found no resolution.

I have created the cert, etc and installed it on clients. The WLC seems to be forwarding the information along correctly. Below is the security events that I see in the logs on the DC.

First:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/21/2011 9:59:53 AM
Event ID:      5061
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      XXXX.local
Description:
Cryptographic operation.

Subject:
   Security ID:       SYSTEM
   Account Name:       XXX
   Account Domain:        XXX
   Logon ID:       0x3e7

Cryptographic Parameters:
   Provider Name:   Microsoft Software Key Storage Provider
   Algorithm Name:   RSA
   Key Name:    certificate-CA
   Key Type:   Machine key.

Then immediately following:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/21/2011 9:53:58 AM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      XXXXX.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            domain\user
    Account Name:            domain\user
    Account Domain:           domain
    Fully Qualified Account Name:    domain\user

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        10-8c-cf-10-f4-30:vbw-test
    Calling Station Identifier:        18-3d-a2-00-6b-c8

NAS:
    NAS IPv4 Address:        10.0.X.X
    NAS IPv6 Address:        -
    NAS Identifier:            WLC
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:        WLC
    Client IP Address:            10.0.X.X

Authentication Details:
    Connection Request Policy Name:    Secure Wireless Connections 2
    Network Policy Name:        Secure Wireless Connections 2
    Authentication Provider:        Windows
    Authentication Server:        DC.local
    Authentication Type:        PEAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            23
    Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Please help, I've been looking at this for hours and am completely out of options!

Thanks,

Tim

↧

NPS on Windows server 2008 issue

September 22, 2014, 7:26 pm

≫ Next: unsuccessul when use cisco switch as a radius client to control vlan

≪ Previous: Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2

I need some help on figuring this out guys. I am running an NPS server on a windows enterprisse 2008 R2. I am trying to do a wireless authentication with PEAP - MSCHAPv2. I am having that issue when i use a local CA the clients can authenticate but as soon as i use a third party certificate from Godaddy i get the reason code 22. It's not reading the EAP types. It's just reading my windows logon and not taking the LDAP user provided.

Let me know what might be the cause I can't seem to find what's wrong

Thanks!!

↧

unsuccessul when use cisco switch as a radius client to control vlan

September 22, 2014, 2:42 am

≫ Next: Wireless Group Policy Problem - Half the policy applying

≪ Previous: NPS on Windows server 2008 issue

I got a test lab:

- use a cisco switch (2960 series, IOS 12.2(44), ip address: 192.168.0.1) to connect to RADIUS server (Also Domain Controller, use Windows server 2008 R2, ip address: 192.168.0.2)
- When a computer pluggin the switch:

only domain computer are allowed
use computer account based authentication with certificates
put healthy clients into VLAN100
put unhealthy clients into VLAN999

What did i do:

On windows server:
install "Network Policy and Access Service" role (only select Network Policy Server sub-role)
Go to Network Policy Server console, then click Configure NAP link
Follow the wizard with options like this: IEEE 802.1x (wired) -> Create RADIUS client with IP address is 192.168.0.1 and shared key is 123 -> Didn't fill anything in Machine Groups and User Groups -> Use Smart Card or other certificate.... (no use Sercure password) in EAP types -> Config RADIUS attributes for "Full access network" and "Restricted access network" (see image h.t.t.p://pik.vn/20142b537bed-e911-4bb7-b2be-cb316f2d6254.png) - Next until end the wizard.

On the switch, i did:

aaa new-model
aaa authentication dot1x method1 group radius
dot1x system-auth-control
aaa authorization network autholist1 group radius
radius-server host 192.168.0.2
radius-server key 123
interface fast 0/24
switchport mode access
dot1x port-control auto

This is the result:

The port fastEthernet 0/24 on the switch alway orange color, and no change the vlan ID, still stay into VLAN1
nothing has been written in the log of Network Policy and Access Services role
when i turn on "debug dot1x all" in the switch, i could read something like this: h.t.t.p://pik.vn/2014290fe010-4548-4068-979a-f35c72ced35d.png

Someone can tell me how i have to do to resolve this problem? Or can give me a good tutorial which teach how to setup a cisco switch use NAP on Windows Server 2008 R2 to control VLAN. I have read many tutorial from cisco and microsoft but still no successfull. Cause it's the first time i work with NAP.

Thank in advance!

↧