Oct 08 2021 07:52 AM
We have a Windows server 2019 datacenter server running NPS. Our WiFi Office clients authenticate to this server for access to the corporate WiFi network. We use computer authentication, so members of the "domain computers" group are allowed access in the policy (we only want domain computers on this network and we don't want users to need to enter their user credentials).
We use GPO to provision a WiFi profile to the domain computers, in which we configure that computer authentication is needed. Our Windows 10 clients (literally all of them) are connecting nicely (I have anonimized the event log for security purposes:
Network Policy Server granted access to a user.
User:
Security ID: DOMAIN\COMPUTER$
Account Name: host/COMPUTER.domain.nl
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\COMPUTER$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: xx-xx-xx-xx-xx-xx:SSID
Calling Station Identifier: XX-XX-XX-XX-XX-XX
NAS:
NAS IPv4 Address: x.x.x.x
NAS IPv6 Address: -
NAS Identifier: AP01
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: SonicPoint HQ 1
Client IP Address: x.x.x.x
Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wireless)
Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable
Authentication Provider: Windows
Authentication Server: NPS.DOMAIN.nl
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: "edited"
Logging Results: Accounting information was written to the local log file.
When a Windows 11 client (all of them actually) tries to connect, we see the following logged (again, anonimized):
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: host/COMPUTER.domain.nl
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\COMPUTER$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: XX-XX-XX-XX-XX-XX:SSID
Calling Station Identifier: XX-XX-XX-XX-XX-XX
NAS:
NAS IPv4 Address: x.x.x.x
NAS IPv6 Address: -
NAS Identifier: AP01
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: SonicPoint HQ 1
Client IP Address: x.x.x.x
Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wireless)
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS.domain.nl
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: "edited"
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
The only real difference I see is that for the Windows 11 client, NULL SID is provided as "Security ID". Could it be that this is causing NPS to not be able to verify that the machine that is attempting to connect is a member of the security group which is allowed to connect (the default group "Domain Computers")?
Looking forward to either a quick bug fix or a configuration change I need to make. Maybe other Windows Server admins are also experiencing this issue?
Oct 13 2021 04:32 AM
@PaulvDam We are also experiencing the same exact issue. Clients get the certificate and will not connect to our NPS server to connect to our wifi. Were you able to find a fix?
Oct 13 2021 04:42 AM
Oct 17 2021 11:52 PM
SolutionOct 18 2021 05:09 AM
Thanks for this very good suggestion, I have looked into it and there is indeed a case difference between the policy and the certificate.
However, after remediating this (setting the policy to upper case for both our NPS servers), the problem remained. This is no doubt all related, because more or less the same GUI is user for direct access always online VPN profiles, so I'm guessing we are almost there in solving this issue.
Oct 18 2021 05:32 AM
We figured our issue out. We had a GPO that pointed to our NPS server and in the GPO the NPS server name was all lowercase and our NPS server is capitalized. That was ultimately the problem. A simple fix but not obvious at all
Oct 18 2021 06:46 AM
OK something unexpected here... I had to recreate the WiFi profile using a new Profile Name (Windows remembered the lower case setting if the profile had the same name).
This solved the issue, so in the end it was also the case sensitivity that was introduced in Windows 11.
Thanks a lot guys!
Oct 21 2021 09:33 AM
Feb 09 2022 11:53 AM
May 02 2022 02:32 PM
Jul 12 2022 05:24 AM
Oct 21 2022 05:06 PM
For our environment it was due to credential guard. This will break anything using PEAP w/MS-CHAPv2, including machine authentication. It's also extremely tricky to debug because this requires Windows Enterprise version and since we are using E3 licenses (included in there is the OS Enterprise license) this problem only surfaces eventually when the OS is upgraded to enterprise in the background (enabled by default with Enterprise, does not get enabled with only Pro).
Fix: Group Policy->Administrative Templates->System->Device Guard->Turn On Virtualization Based Security (set to DISABLED).
Dec 08 2022 01:34 PM
Dec 14 2022 11:55 AM
Jan 12 2023 04:58 AM
@BenBoldt can you elaborate a bit on what GPO you did make, in order to solve this issue? 🙂
We just Upgraded our Windows 10 hybrid to Windows 11 - and now we got this issue. 😞
Jan 13 2023 04:48 AM
Feb 02 2023 02:40 AM
Our fix is to rename the NPS server so its name is lowercase. Since our NPS's are also a a DCs the steps are
1. uninstall Certificate Authority
2. rename the server to lowercase using the following
netdom computername DC1.domain.local /add:dc1.domain.local
netdom computername DC1.domain.local /makeprimary:dc1.domain.local
shutdown /r
3. Install Certificate Authority again
I have a lot of servers to change so if there is a less disruptive workaround I love to hear what it is.
Feb 06 2023 02:22 AM
Nov 13 2023 02:23 PM
instead of disabling a critical security feature (credential guard) you should fix your NPS to not use ms-chap, as this is documented very well to not work with credential guard.
Oct 17 2021 11:52 PM
Solution