Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, June 11, 2019 12:33 PM
We set up Radius (NPS) about a year and a half ago on Windows Server 2012 and it's been running fine... until now. We're baffled because we're not aware of any changes that have been made.
We are having an issue where Windows devices will not authenticate with our Radius server (NPS). All other types of devices work fine, the issues seems to only impact windows specifically.
The Network policy settings haven't changed, and we've verified that our certificate isn't expired. We are configured for EAP Types: PEAP and EAP-MSCHAP v2.
The error we get in Event Viewer is Event ID: 6273 Reason Code: 16 "Authentication failed due to a user credentials
mismatch. Either the user name provided does not map to an existing user account or the password was incorrect"
Since the username and password work just fine when connecting a smartphones and other devices, it makes me think that the information getting sent back by windows clients aren't in a format that the server recognizes as valid, or the server isn't parsing through the information correctly.
I have spent a lot of time reviewing every article I can find to try and resolve this issue, but no luck yet. Any help would be GREATLY appreciated!
All replies (7)
Thursday, June 13, 2019 8:48 AM âś…Answered
Hi,
There are some settings you can check:
- The network access server is under attack
- NPS does not have access to the user account database on the domain controller
- NPS log files or the SQL Server database are not available
The Network policy settings haven't changed, and we've verified that our certificate isn't expired. We are configured for EAP Types: PEAP and EAP-MSCHAP v2.
What about the configurations of clients? authentication methods?
Please refer to the link below:
/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v=ws.10)
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, June 11, 2019 2:08 PM
Hello!
What version Windows client OS?
Check the certificate subject name.
Old Operating systems (Windows 7 and early) require subject name in server certificate.
Tuesday, June 11, 2019 2:23 PM
I have tested with Win 10, 8.1 and 7. All fail to connect. I have also tried windows devices that are not apart of our domain with the same result.
Wednesday, June 12, 2019 2:29 AM
Hi,
Did you check the user name and password in event properties?
On the clients, uncheck Remember credentials and enter the password manually.
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, June 12, 2019 11:40 AM
Thanks for the reply,
I do see the correct username showing up correctly in the Event Properties. Normally, we check the box that says "Use my Windows user account" which uses the same credentials that Radius authenticates against in Active Directory. I've tried manually entering the username and password with the same result.
Friday, June 14, 2019 3:41 PM
Hello K12-Ed-IT,
This suggestion should be considered an "option of last resort" and even then it might not be worth the effort. It is something that I have used to analyse VPN authentication problems with Windows 10 and IAS. Some aspects might work under Windows Server 2012 and NPS.
I use Event Tracing for Windows to trace the following event providers (the list is in a format suitable for use with logman.exe):
{b2cbf6dc-392a-43ae-98d2-1aa66dfcb2c3} 0xFFFFFFFF 255 # IAS NAP NPS
{bae49237-f9d2-4eea-b660-1aa0f1f5637f} 0xFFFFFFFF 255 # IAS NAP NPS hlpr
{997590ef-d144-4d41-b7fb-7028ae295b04} 0xFFFFFFFF 255 # IAS NAP NPS sam + nap + svcs
{822bec9e-660f-4f9d-96b5-ead6874cb0bd} 0xFFFFFFFF 255 # IAS NAP NPS acct
{c124ef85-9447-4a75-be21-3a97fdda3e81} 0xFFFFFFFF 255 # IAS NAP NPS polcy
{c2300092-f475-42ae-9ea9-66c268bef2c6} 0xFFFFFFFF 255 # IAS NAP NPS sdo
{ea500216-dc45-4f41-a1dc-e37ea5df188e} 0xFFFFFFFF 255 # IAS NAP NPS rad
{574450b9-c7f9-4c05-a01e-b90f8f7744e3} 0xFFFFFFFF 255 # IAS NAP NPS recst + datastore
{b9f181e1-e221-43c6-9ee4-7f561315472f} 0xFFFFFFFF 255 # RASMan
Microsoft-Windows-RRAS
Microsoft-Windows-Security-Auditing
The IAS/NAP/NPS providers are WPP providers (see https://docs.microsoft.com/en-us/windows/desktop/etw/event-metadata-overview for the difference between WPP, MOF, Manifest-based and TraceLogging providers) - that's why GUIDs rather than names are used. The GUIDs might be different under Windows Server 2012.
If the GUIDs are not recognized (logman reports something like "Element not found"), one could try just using the two manifest-based providers (Microsoft-Windows-RRAS and Microsoft-Windows-Security-Auditing); again, there is no guarantee that these will provide any useful information in your scenario.
To create a trace, save the list of providers in a file (e.g. "providers.lst") and start the trace with the command:
logman start nps-prob -ets -pf providers.lst -o nps-prob.etl
One the problem has been reproduced, the trace can be stopped with the command:
logman stop nps-prob -ets
The trace data in nps-prob.etl can be viewed in Microsoft's Message Analyzer (MMA) but, assuming that any useful data is collected, it will take some experience to understand.
Gary
Tuesday, June 18, 2019 6:56 AM
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]