Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, November 14, 2016 8:21 PM
Our NPS Server is not authenticating users from time to time with the message "unable to connect to a domain controller in the domain where the user account is located."
While we do have 3 child domains in our AD Forest, the NPS server is in the only child domain that has accounts currently being used with NPS. Plus, this only happens the first few times you try to connect. If you give it a few minutes after your first attempt, it will successfully authenticate you when you try again. I've run "nltest /dsgetdc:domainname" from the NPS server, and it returns the correct info. DNS appears to be 100% correct too. I can resolve IPs for the domain name. The NPS server is registered with AD too (it exists in the RAS and IAS Servers AD Group).
Why is it only failing on the first few attempts? This is a major issue as we were planning to roll this new AD authenticated wireless network out to a few hundred employees within the next week or two.
All replies (3)
Tuesday, November 15, 2016 3:06 AM
Hi Evan,
>>Our NPS Server is not authenticating users from time to time with the message "unable to connect to a domain controller in the domain where the user account is located."
Have you configured user group conditions on NPS policies?
Have you checked event about issue?
What is the OS on your NPS server?
Please try to fix issue by following the article below:
Event ID 4402 — NPS and Domain Controller Communication
https://technet.microsoft.com/en-us/library/cc735393(v=ws.10).aspx
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, November 15, 2016 4:05 AM
Yes, we use an AD User Group in our policy for authentication. That is why users are unable to connect when the NPS Server claims that it cannot reach a DC. The only event in the logs is the Security Audit event that says authentication failed for NPS because the DC could not be reached. However, when I receive this error for a user who hasn't connected within 12-24 hours, other users who have authenticated recently are still able to authenticate. Plus, when I run tests from the NPS server, I am able to reach the DCs without any issues. The authentication is simply failing with this error every time a user tries to connect for the first time that day, but then when they try again in 3-5 minutes, the error stops occurring, and they are authenticated successfully. NPS is running on Server 2012 R2, and the Domain consists of 2008 R2 and 2012 R2 DCs. The Domain is 2008 R2 level, and the Forest is 2003 level.
Thursday, November 17, 2016 7:06 AM
Hi Evan,
>>The only event in the logs is the Security Audit event that says authentication failed for NPS because the DC could not be reached
Have you checked if connection is correct between DC and NPS when issue occurred?
Please try to catch the packet by using Microsoft monitor, and check if client have sent connection request to NPS server, and then you could analyze processes between DC and NPS.
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].