Good day!
We're trying to deploy VPN schema using RRAS (2008R2SP1, l2tp), NPS and certificates as user authentication method
RRAS server short name is RRAS. it is in domain (AD, domain.local)
But we must use local (on RRAS) SAM database (not domain users) as user database
We've change defaultdomain registry key to "RRAS" as shown in technet article (https://technet.microsoft.com/en-us/library/dd197452(v=ws.10).aspx)
In NPS we've setup connection and network rules (nothing special, by default, only smartcard as eap auth method)
In local SAM there is test user "user1"
In test certificate in UPN we wrote "user1"
But we have next error - Authentication failed due to a user credentials mismatch
In windows security log we can see:
User:
Security ID: RRAS\user1
Account Name: user1
Account Domain: RRAS
Fully Qualified Account Name: RRAS\user1
It looks correct, isn't it?
Also we tried UPN=rras\user1 - the same result
When we use AD as user DB and UPN=user1@domain.local - it works correctly
What we do wrong?
Can we use non-domain usernames as UPN in certificates?
How to map in certificate non-domain user?
Thanks!