Hi There,
I have the most strangest issue I have seen in terms of NPS Authentication. I hope you might be able to help.
I have two NPS servers that were originally configured up for use with Direct Access. They were working fine with no issues whatsoever. Our Direct Access is using Two Factor Authentication for user login.
Recently, we introduced a 802.1x Policy to the NPS servers and have got this working successfully also. The authentication mechanism here is using a Certificate that has been issued from our Internal CA server.
My laptop is configured to use both Direct Access and the Wireless network and so will attempt to connect to the NPS server to authenticate for either system, depending on if I am inside my network or outside my network. I am running Windows 8 Enterprise edition with all the latest updates.
Before Wireless was set up, I could authenticate for Direct Access when I was outside the network with no issue. When the wireless was configured, I could authenticate for the Wireless network when I am inside the network.
Now though, with both policies in place, when I am outside the network and connected to the Internet, Direct Access attempts to connect but needs my OTP to authenticate me, at this point though I see a pop up on my laptop saying that "Windows needs by current credentials" at this point Active Directory reports my account to be locked out. If I wait the timeout period, or unlock my account, I will be fine to log in to Direct Access, until the next time I start up my laptop and connect to the internet. The weird thing about this too, is that it doesn't always happen. Sometimes I can start up my laptop and it will not happen at all.
In troubleshooting this, I have done the following:
- Disable the Wireless Policy on the NPS and Direct Access never has any issues
- Re-ordered the NPS policies, if the Wireless Connection Request Policy is lower than the Direct access Policy and the Wireless Network Policy, Wireless will work, but Direct Access has issues. If the Wireless Policies are below the Direct Access Policies, Wireless won't work. And Direct Access still has issues.
- I built up a separate NPS server that only has the Wireless Policy configured on it, configured the Wireless to use only that NPS server, but still Direct Access will lock my account.
- On my laptop I notice the event id 4771 - Kerberos Pre-Authentication Failed
- On the domain controller, I notice the event saying my Account has been locked out. The Caller Computer Name is our TMG Firewall and the reason is 0x18 (Bad Password) though I have not entered my password yet!
If there is anything anyone can suggest to resolve this issue, it would be greatly appreciated!
jd