Hi Experts,
I have an issue configuring 802 - cert based authentication in a forest trust using NPS on Windows 2008 R2 Enterprise.
I have two domains, let's call them OLD.LOCAL and NEW.LOCAL. Both are at 2008 R2 level, and a two-way trust is in place with full connectivity.
NEW.LOCAL has a NPS radius server with 802 authentication in place. Clients in NEW.LOCAL are automatically assigned a certificate through the Enterprise CA installed in NEW.LOCAL.
Clients in NEW.LOCAL can succesfully authenticate to NPS using their assigned client certificate.
However, NPS refuses connections from clients in OLD.LOCAL, reason code 16 'Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect'. This is an excerpt from the NPS eventlog:
User: Security ID: OLD\LH042L01$ Account Name: host/LH042L01.OLD.LOCAL Account Domain: OLD Fully Qualified Account Name: OLD\LH042L01$ Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 08-EA-44-29-05-51:CLIENT-SSID Calling Station Identifier: 8C-70-5A-35-76-56 NAS: NAS IPv4 Address: 10.201.57.150 NAS IPv6 Address: - NAS Identifier: LH-AP01 NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 0 RADIUS Client: Client Friendly Name: LH-AP01 Client IP Address: 10.201.57.150 Authentication Details: Connection Request Policy Name: incoming auth Network Policy Name: incoming auth CERT Authentication Provider: Windows Authentication Server: NPS01.NEW.LOCAL Authentication Type: EAP EAP Type: Microsoft: Smart Card or other certificate Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
The NPS policy referenced here (incoming auth cert) is set to allow machine group 'OLD\Wireless_Clients' and 'NEW\Wireless_Clients'. The client of the above log (LH042L01) is in the OLD\Wireless_Clients group.
The certificate authority of NEW.LOCAL is fully trusted by all clients in the OLD.LOCAL domain. I've used the certificate authority of NEW.LOCAL to issue computer certificates to clients of the OLD.LOCAL domain using the following method (CertReq):
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
I'd appreciate any advice you can offer.