Windows Server 2008 Network Policy Server

Discussion in 'Windows Networking' started by Edward, May 24, 2008.

  1. Edward

    Edward Guest

    Hi

    I have a problem authenticating clients and users on my network with Windows
    Server 2008 Network Policy Server.

    I have 1 server running Windows Server 2008 Datacenter (192.168.23.1;
    Computer name is PROXIMA) with:
    Active Directory (Primary Domain Controller)
    DNS
    DHCP (Scrope: 192.168.23.x; Subnet: 255.255.255.0)
    NPS
    Routing and Remote Access - VPN and NAT server

    My client computers are running Windows Vista Ultimate (Computer names MARS
    and VULPECULA).

    I have 2 Connection Request Policies in Network Policy Server:
    * Microsoft Routing and Remote Access Service Policy - Enabled - Order: 1 -
    Source: Remote Access Server (VPN-Dail up)
    * Use Windows authentication for all users - Enabled - Order: 100000 -
    Source: Unspecified

    My clients cannot get any connection with the server when the Use Windows
    authentication for all users is set to the following:
    Forwarding Connection Request: Authentication is set to Authenticate
    requests on this server.

    In the event viewer I get the following message:

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 5/24/2008 9:56:51 AM
    Event ID: 6273
    Task Category: Network Policy Server
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: PROXIMA.ecmatech.local
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Fully Qualified Account Name: -

    Client Machine:
    Security ID: NULL SID
    Account Name: MARS
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 192.168.23.0
    Calling Station Identifier: 000D8833BF40

    NAS:
    NAS IPv4 Address: 192.168.23.1
    NAS IPv6 Address: -
    NAS Identifier: PROXIMA
    NAS Port-Type: Ethernet
    NAS Port: -

    RADIUS Client:
    Client Friendly Name: -
    Client IP Address: -

    Authentication Details:
    Proxy Policy Name: Use Windows authentication for all users
    Network Policy Name: Connections to other access servers
    Authentication Provider: Windows
    Authentication Server: PROXIMA.ecmatech.local
    Authentication Type: Unauthenticated
    EAP Type: -
    Account Session Identifier: 313637353439393838
    Reason Code: 65
    Reason: The connection attempt failed because network access permission
    for the user account was denied. To allow network access, enable network
    access permission for the user account, or, if the user account specifies
    that access is controlled through the matching network policy, enable network
    access permission for that network policy.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing"
    Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>6273</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2008-05-24T07:56:51.515Z" />
    <EventRecordID>439257</EventRecordID>
    <Correlation />
    <Execution ProcessID="640" ThreadID="1276" />
    <Channel>Security</Channel>
    <Computer>PROXIMA.ecmatech.local</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="FullyQualifiedSubjectUserName">-</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">MARS</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">192.168.23.0</Data>
    <Data Name="CallingStationID">000D8833BF40</Data>
    <Data Name="NASIPv4Address">192.168.23.1</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">PROXIMA</Data>
    <Data Name="NASPortType">Ethernet </Data>
    <Data Name="NASPort">-</Data>
    <Data Name="ClientName">-</Data>
    <Data Name="ClientIPAddress">-</Data>
    <Data Name="ProxyPolicyName">Use Windows authentication for all
    users</Data>
    <Data Name="NetworkPolicyName">Connections to other access servers</Data>
    <Data Name="AuthenticationProvider">Windows </Data>
    <Data Name="AuthenticationServer">PROXIMA.ecmatech.local</Data>
    <Data Name="AuthenticationType">Unauthenticated </Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">313637353439393838</Data>
    <Data Name="ReasonCode">65</Data>
    <Data Name="Reason">The connection attempt failed because network access
    permission for the user account was denied. To allow network access, enable
    network access permission for the user account, or, if the user account
    specifies that access is controlled through the matching network policy,
    enable network access permission for that network policy. </Data>
    </EventData>
    </Event>


    If I change the Use Windows authentication for all users policy to to:
    Accept users without validating credentials
    then it works fine.

    Any help would be appreciated.

    Thanks!
    Edward
     
    Edward, May 24, 2008
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.