NPS - zero client - certificate auth - EAP: Failure

Hi all,

I'm trying to set up the certificate-based authentication for terminal zero client (DELL FX100 with Teradici firmware if it matters), but the authentication fails.

I have:

- certificate with UPN as Subject and <samaccountname>.<domain.name> and <samaccountname> in SAN from our Enterprise Root CA (created from duplicated 'Computer' template to allow custom name)
- AD user account with assigned public part of the certificate above (using Name Mappings)
- certificate w/ PK above and CA certificate uploaded to the client and identity set to UPN of the user account above.
- SPN set to the user account ("host/<samaccountname>", and "host/<samaccountname>.<domain.name>")

I've created CRP and NP in NPS server via 'Configure 802.1x' wizard with wired settings (no conditions, but the NAS-Type = Ethernet).

Well, the zero client cannot be authenticate "due to a user credentials mismatch" (reason code 16) - I'm getting the 6273/Network Policy Server Event ID int he security log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/21/2013 12:28:31 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      NPS.domain.tld
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			DOMAIN\DELL-FX100-01
	Account Name:			DELL-FX100-01@domain.tld
	Account Domain:			DOMAIN
	Fully Qualified Account Name:	DOMAIN\DELL-FX100-01

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		3C-DF-1E-71-EE-81
	Calling Station Identifier:		00-22-5B-02-75-BF

NAS:
	NAS IPv4 Address:		x.y.z.235
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Ethernet
	NAS Port:			50001

RADIUS Client:
	Client Friendly Name:		cat3560-test
	Client IP Address:			x.y.z.235

Authentication Details:
	Connection Request Policy Name:	Secure Wired (Ethernet) Connections
	Network Policy Name:		Secure Wired (Ethernet) Connections
	Authentication Provider:		Windows
	Authentication Server:		NPS.domain.tld
	Authentication Type:		EAP
	EAP Type:			Microsoft: Smart Card or other certificate
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			16
	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

What could be wrong?

Regards,
R.*

R.*