Hi,  I'm seeing several Audit failures with the event information below.  System is Window Server 2008 R2 in vitrual environment.  Basically the event states that the Guest account tried to access Windows explorer and the user account is disabled.  The system is in test at the moment and I'm the only one accessing the machine.   The guest account is disabled but I'm tring to figure out why the login attempts?

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/17/2013 5:36:04 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      NEWPRD.sorvive.com
Description:
An account failed to log on.

Subject:
 Security ID:  NEWPRD\Administrator
 Account Name:  Administrator
 Account Domain:  NEWPRD
 Logon ID:  0x1245586

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  Guest
 Account Domain:  NEWPRD

Failure Information:
 Failure Reason:  Account currently disabled.
 Status:   0xc000006e
 Sub Status:  0xc0000072

Process Information:
 Caller Process ID: 0xce0
 Caller Process Name: C:\Windows\explorer.exe

Network Information:
 Workstation Name: NEWPRD
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  Advapi 
 Authentication Package: Negotiate
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-08-17T21:36:04.587579800Z" />
    <EventRecordID>17342</EventRecordID>
    <Correlation />
    <Execution ProcessID="656" ThreadID="2812" />
    <Channel>Security</Channel>
    <Computer>NEWPRD.sorvive.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-2531602938-1099658101-1319544182-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">NEWPRD</Data>
    <Data Name="SubjectLogonId">0x1245586</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">Guest</Data>
    <Data Name="TargetDomainName">NEWPRD</Data>
    <Data Name="Status">0xc000006e</Data>
    <Data Name="FailureReason">%%2310</Data>
    <Data Name="SubStatus">0xc0000072</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">NEWPRD</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xce0</Data>
    <Data Name="ProcessName">C:\Windows\explorer.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

I was reading the following Technet article http://technet.microsoft.com/en-us/library/ff919512%28v=ws.10%29.aspx that explains how to configure "Enable Identity Privacy", but it has the following "Tip":

"The NPS policy for 802.1X Wireless must be created by using NPS Connection Request Policy. If the NPS policy is created in by using NPS Network Policy, then identity privacy will not work. "

I am confused because you cannot specify the group membership conditions under "Connection Request Policy" that you can in "Network Policies".  Perhaps the article means I need to configure the authentication method from within the"Connection Request Policy" instead of the "Network Policies"?

Any help would be appreciated.

Thanks

Hi All,

I'm having difficulty establishing a VPN when I specify a health check condition in a network policy.

The vpn establishes ok without the policy however the client presents an error 812 (authentication error) when the health check condition is specified.

The only other condition is a windows group. the VPN is a PPTP tunnel for testing purposes. the client is a win 7 machine.

any help appreciated

hello 

i have problem on config NAP 

i have 3 machine on VMware 

machine 1 : windows server 2008r2 ( active directory + DNS + certificate authority )

machine 2 : windows server 2008r2 ( RRAS + NAP )

machine 3 : windows 7 ultimate (client )

I've configured NAP correctly but I've encountered the following error

The server “DC.afc.local” presented a valid certificate issued by “certificate-myserver”, but “certificate-myserver” is not configured as a valid trust anchor for this profile.

and tried to resolve this error with this code :

certutil -enterprise -addstore NTAuth CA_CertFilename.cer

but Again, my problem was not resolved 

please help me to slove this scenario!

Let me explain the scenario first.

I have a Windows 2008 R2 Standard Edition Which is also the Domain Controller. I installed NPS server role and configured RAS for VPN. After installing this, I lost the access of the server. (I was doing this via RDP, since the server is in a Remote Location). Also, there was no Ping to the server from any other machine (even from the local machines connected from the Datacenter). I restarted the server, I started getting PING, was able to connect to the server for a few minutes (5 mins approx) and again lost the connection. There was no PING again to the server.

I removed the NPS server role from the server and the removal process completed successfully. But, still the server is not accessible. There was a few PING request during the time when the server comes up after the reboot but again it goes once the server comes up. Surprisingly, though the NPS role was uninstalled, the Routing and Remote Access Service is still available in 'services.msc' console.

I stopped the service, and everything was again working. I got the remote access, was able to take the RDP etc. I would now like to remove RRAS service from the server. NPS role has been completely removed. But, still it exists. What can be done. Does anyone have any idea. Please feel free to ask me if you need any further information regarding the setup.

Thanks in advace.

Tom Jacob

Two days ago suddenly users could not authenticate through the VPN or Wifi. The password prompt just keeps coming up over and over.

So I go into the Sonicwall device and check the settings, all the ip's are correct, the settings all look good.  I go to test the RADIUS connection and get Authentication failed,  or MSCHAP ERROR: E=691 R=0 V=3.

I checked all the settings on the Server 2012 R2 NAP server, seems good, the Sonic device is configure and enabled.  Nothing seems to prevent it from logging from the NAP server settings.

To trouble shoot I added my laptop to the NAP RADIUS Clients, same issue, not able to authenticate using a couple RADIUS test tools. 

What setting can I check to find out why the NAP server is suddenly not authenticating user and clients who are allowed, enabled and correctly configured in NAP.

Any thoughts on were to look or how to further troubleshoot this not being able to authenticate to the RADIUS server issue?  Right now the VPN and Corporate Wifi are down because no one is able to authenticate.

Thank you

Curt Winter

Systems Engineer

Hi all,

I'm currently setting up a WIN SRV 2012 with Microsoft NPS and want to use mac-authentication for vlan assignment.

Everything is working fine so far as I can authenticate internal devices in the default vlan but when it comes to "authenticating" guest devices (which means I don't know the mac-address) and assigning them the guest vlan network it does not work.

If I add a device to the network, the RADIUS Client (switch) sends the request to the NPS Server. The NPS Server then goes trough it's Connection Requests and checks if the Request (received from the switch) matches a Connection Request Policy's conditions. If it does the server authenticates the device locally (in the SAM). If the device can be found in the SAM (defined as a normal user) the server goes through the Network Policies and assigns the matching policy giving back the vlan.

The Problem is that I don't know the mac-address of the guest devices but when it comes to the Connection Request I only have the following options:

1 Authenticate Locally

2 Authenticate on a remote nps server

3 do not authenticate and allow access.

I do not have another NPS server so I cannot use Option 2.

If I select Option 3 all devices automatically get assigned to the default vlan. The NPS does then ignore the Network Policies.

So I have to take Option 1. But Option 1 checks the Request (including mac-address as username and mac-address as password) against it's local SAM users. Guest devices will fail this test and will get declined by the Connection Request Policy.

Now my thought was that I create two Connection Request Policies:
One of them with Option 1 (for Internal devices) and one would be with Option 3 (for guest devices / giving back the guest vlan instead of default vlan)

The problem here is that MS NPS does not provide me with a condition to keep the both types appart as (from the view of the NPS server) they look the same when the packet arrives.
(Request: Username:MACADDRESS Password:MACADDRESS)

My thought was to keep both appart by adding a condition to the First Connection Request Policy saying "if the user is in the local sam, take this policy". If it's not in there it would fail over to the other Connection Request Policy allowing access witout authenticating and giving back the guest vlan. But as already said: NPS does not provide this option.

Does someone else have experience with this and maybe made it work?

Thank you very much,
rpfister

I have a few Vista Enterprise and they are causing a lot of headaches. I found out that they are doing DHCPv6 Renew every now and then which is not actually a problem but the request comes flooding by the thousands within a few seconds (as shown below when captured with wireshark) causing a network flood.

fe80::b589:8846:69f9:6f3d ff02::1:2 DHCPv6 196 Renew XID: 0x1c110e CID: 000100011b199761001a4b3f6fba IAA: 2001:x:x:::aae3 

Only happened on Vista. There is nothing else to update on the system and could not find solution to this. The only way to stop this is to disable IPv6 on the system which is not actually a solution.  Appreciate any help.

Good day!

We're trying to deploy VPN schema using RRAS (2008R2SP1, l2tp), NPS and certificates as user authentication method

RRAS server short name is RRAS. it is in domain (AD, domain.local)

But we must use local (on RRAS) SAM database (not domain users) as user database

We've change defaultdomain registry key to "RRAS" as shown in technet article (https://technet.microsoft.com/en-us/library/dd197452(v=ws.10).aspx)

In NPS we've setup connection and network rules (nothing special, by default, only smartcard as eap auth method)

In local SAM there is test user "user1"

In test certificate in UPN we wrote "user1"

But we have next error - Authentication failed due to a user credentials mismatch

In windows security log we can see:

User:
Security ID: RRAS\user1
Account Name: user1
Account Domain: RRAS
Fully Qualified Account Name: RRAS\user1

It looks correct, isn't it?

Also we tried UPN=rras\user1 - the same result

When we use AD as user DB and UPN=user1@domain.local - it works correctly

What we do wrong?

Can we use non-domain usernames as UPN in certificates?

How to map in certificate non-domain user?

Thanks!

I Can't access / ping a workstation joined to domain

WS1 Windows 8.1 Pro - This don't respond to ping with name or IP.

WS2 Windows 7 Pro

S1 Windows Small Bussiness 2011 = DOMAIN CONTROLLER

All WS in the same Windows domain

User: Domain Administrator

From WS1 can ping WS2 and any WS in domain

From any other WS, including WS2 and S1 can not ping WS1

WS1 is visible in a network window, but isn't accessible.

I already verified the firewall on WS1.

I configured LSHOSTS and HOSTS on WS2

WS1 worked OK until 10-12 days ago.

Many thanks for any suggestion.

Alex

Hi,

We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:

Network Policy Server discarded the request for a user

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            NULL SID
    Account Name:            host/hostname.domainname.com
    Account Domain:            -
    Fully Qualified Account Name:    -

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        40-20-B1-F4-BB-15:Wireless-SSID
    Calling Station Identifier:        C1-18-85-08-10-E1

NAS:
    NAS IPv4 Address:        192.168.10.10
    NAS IPv6 Address:        -
    NAS Identifier:            AP name
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            0

RADIUS Client:
    Client Friendly Name:        name
    Client IP Address:            192.168.10.10

Authentication Details:
    Connection Request Policy Name:    Secure Wireless Connections
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        NPS servername
    Authentication Type:        -
    EAP Type:            -
    Account Session Identifier:        -
    Reason Code:            3
    Reason:                The RADIUS Request message that Network Policy Server received from the network access server was malformed.

-----------------------------------------------------------------------------------------------------------------------------

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            NULL SID
    Account Name:            domainname\username
    Account Domain:            -
    Fully Qualified Account Name:    -

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        20-18-B1-F4-BB-15:Wireless-SSID
    Calling Station Identifier:        09-3E-8E-3E-5A-C9

NAS:
    NAS IPv4 Address:        192.168.10.10
    NAS IPv6 Address:        -
    NAS Identifier:            AP name
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            0

RADIUS Client:
    Client Friendly Name:        name
    Client IP Address:            192.168.10.10

Authentication Details:
    Connection Request Policy Name:    Secure Wireless Connections
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        NPS server name
    Authentication Type:        -
    EAP Type:            -
    Account Session Identifier:        -
    Reason Code:            3
    Reason:                The RADIUS Request message that Network Policy Server received from the network access server was malformed.

-----------------------------------------------------------------------------------------------------------------

Message seen from the AP's logs:

(317)IEEE802.1X auth is starting (at if=wifi0.2)

(318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1

(319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90

 (320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1

 (321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1

 (322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC  

Output omitted

(330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver

We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.

Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if this matters?)

Please guide me on how to take this further

Thank you :)

//Cris

We have setup a working 802.1x/Radius wired environment with MS NPS/NAP. We added a third party certificate for the NPS server to get rid of certificate warnings for non-domain clients.

We had a certificate for our mailserver since earlier (mailserver.domain.com). I do not know much about PKI but we bought something like a “subcertificate” that still is issued to mailserver.domain.com but has the FQDN:s of our NPS-servers as SAN:s.

We have imported and configured the use of the certificate. The first thing that happened was that clients got a warning when connecting:

The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, but “<CA name>” is not configured as a valid trust anchor for this profile. Further, the server “<Authentication server>” is not configured as a valid NPS server to connect to this profile.

We corrected this error following the KB: http://support.microsoft.com/kb/2518158 and adding checking the CA in the NPS authentication configuration.

Now the part regarding “valid trust anchor” of the error message has disappeared and is now looking like this:

http://www.chicagotech.net/images/ssl34.gif (with radius server: mailhost.domain.com).

Viewing hour mailsever/NPS certificate, the certificate chain appears to be perfectly in order (we have imported intermediate certificates etc.).

The last part of the error message:

The server “mailhost.domain.com” is not configured as a valid NPS server to connect to for this profile.  

And that is correct, since that is our mailserver.

We have tried to register our mailserver as nps server (which it isn't) (netsh ras add registeredserver) and also issuing a NPS certificate to the mailserver without luck.

Any suggestions?

I have a requirement to create user accounts in AD and to setup these users with an exchange email account which will only be accessible through the web OWA (users are using their own personal PC's or smart phones to access from Outside our domain).  However, these users need to be blocked from accessing any other Domain resources such as network files/folders/etc. if they ever got the chance to hack/access our secure network.

To simplify my life as an admin, since I have over 350 of these users, I have created an AD OU to separate these objects.  Is there anyway to allow the OU access to only email, specifically the OWA, and nothing else?

Would it be better to add these users to a group and limit access for that group?

Rjobe

Hi,

I Have problem with certification in my Windows Server 2008R2, i`m trying use website localhost-certsrv/certsrv.asp but in filed Cryptographic Services (in section Key Options) is all the time "Loading" and i can't do anything.

Hi everyone,

a customer of mine wants to deploy 802.1x wired authentication in 70+ locations. So I set up a test lab and started playing. Eventually, I had my Cisco Catalyst Switch 3560 (12.2(55) IP-Base image) and my NPS server on Windows Server 2008 R2 up and running. The test client got certificates and all ... But it did not authenticate. Instead, I got reason code 266 "The message received was unexpected or badly formatted." 

So I googled a bit and found this old kb article http://support.microsoft.com/kb/933430/en-us. In the workarounds section I used method 3 on my NPS, which modifies the behavior of the SCHANNEL provider. This was indicated by another post on this forum (sorry, lost the link). Surprisingly, it worked! - Now I wonder why?

Does this registry setting effect the security of the TLS session in a negative way? I do not want to roll out this "fix", unless I have a clear understanding of the security implications.

Any feedback is welcome!

----------------------- Greetings from Germany, Martin