Hi Experts,

I have an issue configuring 802 - cert based authentication in a forest trust using NPS on Windows 2008 R2 Enterprise.

I have two domains, let's call them OLD.LOCAL and NEW.LOCAL. Both are at 2008 R2 level, and a two-way trust is in place with full connectivity.

NEW.LOCAL has a NPS radius server with 802 authentication in place. Clients in NEW.LOCAL are automatically assigned a certificate through the Enterprise CA installed in NEW.LOCAL.

Clients in NEW.LOCAL can succesfully authenticate to NPS using their assigned client certificate.

However, NPS refuses connections from clients in OLD.LOCAL, reason code 16 'Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect'. This is an excerpt from the NPS eventlog:

User:
	Security ID:			OLD\LH042L01$
	Account Name:			host/LH042L01.OLD.LOCAL
	Account Domain:			OLD
	Fully Qualified Account Name:	OLD\LH042L01$

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		08-EA-44-29-05-51:CLIENT-SSID
	Calling Station Identifier:		8C-70-5A-35-76-56

NAS:
	NAS IPv4 Address:		10.201.57.150
	NAS IPv6 Address:		-
	NAS Identifier:			LH-AP01
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		LH-AP01
	Client IP Address:			10.201.57.150

Authentication Details:
	Connection Request Policy Name:	incoming auth
	Network Policy Name:		incoming auth CERT
	Authentication Provider:		Windows
	Authentication Server:		NPS01.NEW.LOCAL
	Authentication Type:		EAP
	EAP Type:			Microsoft: Smart Card or other certificate
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			16
	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The NPS policy referenced here (incoming auth cert) is set to allow machine group 'OLD\Wireless_Clients' and 'NEW\Wireless_Clients'. The client of the above log (LH042L01) is in the OLD\Wireless_Clients group.

The certificate authority of NEW.LOCAL is fully trusted by all clients in the OLD.LOCAL domain. I've used the certificate authority of NEW.LOCAL to issue computer certificates to clients of the OLD.LOCAL domain using the following method (CertReq):

http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5

I'd appreciate any advice you can offer.

• Edited by Jos Lieben Wednesday, August 08, 2012 10:35 AM
• Moved by Aiden_CaoMicrosoft community contributor, Moderator Thursday, August 09, 2012 7:11 AM (From:Network Infrastructure Servers)

Update (still not fixed):

I've decided to go an easier route, and threw a subordinate CA in the OLD.LOCAL domain. Clients in the OLD.LOCAL domain now enroll their certificates through CA.OLD.LOCAL (the cert path is thus CA.NEW.LOCAL -> CA.OLD.LOCAL -> CLIENT).

However, the error is still exactly the same...

I see the NPS server log NPS event ID 4400 (successfull LDAP connection with DC.OLD.LOCAL) and then deny the OLD.LOCAL domain client with the above error (reason code 16).

Hi,

Thanks for your post.

Quote from the following article.

When using EAP-TLS with certificates as the authentication method, you need to use one or more RADUIS proxy servers that forward authentication requests to the appropriate forest, even when the forests have a two-way, transitive trust relationship.

Please note that RADIUS proxy is required when authenticate cross forest for EAP-TLS. It is because part of the process requires a service principal name (SPN) lookup in Active Directory. However, SPN lookups do not work across trusts. When the NPS server receives the computer identity, it is in the form of an SPN (host/ComputerName.DNSDomainName). The NPS server passes the SPN to the local global catalog. If the global catalog is unable to match the SPN to a local domain account, it will fail the request with a No Valid Account Found error condition.

For more detailed information, you may refer to the following article.

Authentication across forests

http://technet.microsoft.com/en-us/library/cc778436(WS.10).aspx

RADIUS Proxy

http://technet.microsoft.com/en-us/library/cc731320(WS.10).aspx

Best Regards,

Aiden

Hi Aiden,

Thank you for the reply, it has put me on the right path and I have everything working now. For future readers/reference:

-NEW.LOCAL domain has the root enterprise certification authority

-NEW.LOCAL domain has an NPS server with two connection policies

Policy 1: regex on User Name: OLD\.LOCAL*
(this causes computer accounts in only the old domain, not users, to match this policy)
Policy 1 is forwarded to an NPS server in the OLD.LOCAL domain
This will match all cert based requests from the old domain, as normal user login shouldn't contain the .LOCAL
Policy 2: computer auth for the NEW.LOCAL domain, and user auth for both domains (this works over the trust)

-NEW.LOCAL has a two way trust with OLD.LOCAL

-OLD.LOCAL has a subordinate certificate authority under NEW.LOCAL's CA

-both domains have auto enrollment policies and wifi profiles configured through a GPO

-the OLD.LOCAL domain has its own NPS server for forwarded cert requests for laptops in the old domain

If you're reading this and are hoping to match a user to a network policy on the SSID in the Called Station ID condition which our Aerohive devices send through, don't even try because regex is broken (microsoft bug) in 2008 R2 NPS. In my case this doesn't hurt as only the computer (and thus cert) based requests are forwarded by the NEW.LOCAL NPS server.

Feel free to contact me in case you run into a similar situation and can't figure it out.

• Marked as answer by Jos Lieben Thursday, August 09, 2012 11:21 AM

You CAN use one NPS server for multiple Forest with two way trust.   

Keyword "LMHOST" then refresh your netbios cache and enable Netbios over TCPIP 

I am not sure about the security side of it but it worked.

 

Hi Mike,

Can you provide an example of your LMHOST config? Did you just add an entry to your lmhosts on the server?

Cheers,

Josh

• Edited by Joshua1909 4 hours 28 minutes ago