I am running NPS as a RADIUS server on a domain controller for a Cisco VPN gateway on Windows 2008 R2 for the domain in our subsidiary in the U.S. We have it configured using MS-CHAP-v2 and authenticating against AD (authenticate on local machine) and all is good. However, when I applied a GPO that we developed and deployed in our head office using the CIS CAT tools to increase security on the domain controllers, the NPS server begins rejecting everyone who connects with Event ID 6273, Reason Code 16, "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.".
If I remove the GPO, all is well again. I have gone through the GPO and made sure there were no references to accounts (groups or otherwise) or network paths that were not available in the aforementioned domain. I am wondering if NPS requires unauthenticated
access to the directory in order to perform the account lookups. The reason I ask is that after the GPO is active, I never see the event indicating a connection to the directory (Event ID 4400). We have disabled all unauthenticated access to AD as well as
anonymous account enumeration in the GPO. Should we be running NPS with a user account in this case?