NPS Event 6273 Reason Code 16

April 7, 2010, 5:42 pm

≫ Next: Always on VPN Routing

≪ Previous: How to transfer huge files from Linux machine to windows using power shell command

We're in the midst of relocating our RADIUS role from a 2003 DC to a 2008 R2 member server.

The following features have been installed and configured:

Network Policy Server
Routing and Remote Access Services
Remote Access Service
Routing

All policies have been recreated identically to the previous ones and the server has been registered in AD DS.

When attempting to connect to the RADIUS server I receive the following event:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:   NULL SID
Account Name:   test
Account Domain:   DOMAIN
Fully Qualified Account Name: DOMAIN\test

Client Machine:
Security ID:   NULL SID
Account Name:   -
Fully Qualified Account Name: -
OS-Version:   -
Called Station Identifier:  -
Calling Station Identifier:  -

NAS:
NAS IPv4 Address:  x.x.x.x
NAS IPv6 Address:  -
NAS Identifier:
NAS Port-Type:   -
NAS Port:   1

RADIUS Client:
Client Friendly Name: server.fqdn
Client IP Address: x.x.x.x

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name:  -
Authentication Provider:  Windows
Authentication Server:  server.fqdn
Authentication Type:  PAP
EAP Type:   -
Account Session Identifier: -
Logging Results:  Accounting information was written to the local log file.
Reason Code:   16
Reason:    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

All credentials, shared secrets and authentication methods are correct. I have also checked Dial-Up properties in AD DS. Has anyone else experienced this issue?

Regards,

Ryan.

↧

Always on VPN Routing

August 16, 2018, 12:16 pm

≫ Next: Windows Server 2008 R2 Domain Controller - NLA set to public Firewall policies public

≪ Previous: NPS Event 6273 Reason Code 16

I have a Always on VPN in Server 2016 setup and am having issues with the remote clients accessing the production network through the VPN . Here is an example of my setup:

Prod network - 10.1.1.*

DMZ Network - 172.10.1.*

RAS VPN Static pool - 10.10.1.*

VPN server is on domain, has a prod network address, and DMZ address.

The VPN is currently working in the aspect that when i connect to the VPN from my Windows 10 machine(On external network), the Win 10 machine gets a 10.10.1* address. But that 10.10.1.* subnet cannot access the prod network. Do I need to setup Static routes on the VPN server to be able to get to the prod network?

Thanks in advance.

↧

Windows Server 2008 R2 Domain Controller - NLA set to public Firewall policies public

March 8, 2013, 10:10 am

≫ Next: RRAS (always On VPN) -> DHCP or static pool on RRAS

≪ Previous: Always on VPN Routing

I have a Windows Server 2008 R2 Standard with SP1 DC that when the DC is restarted or powered on, the NLA is set to unidentified network - public network and then public firewall policy is active. If I disable and then enable the network adapter, the NLA refreshes and changes to Domain and then the firewall policies are domain based. All is good, until the DC is restarted.

↧

RRAS (always On VPN) -> DHCP or static pool on RRAS

January 18, 2019, 1:50 am

≫ Next: Always On VPN + remote administration

≪ Previous: Windows Server 2008 R2 Domain Controller - NLA set to public Firewall policies public

Hi,
I'm about to install/configure an AlwaysOnVPN solution and am deciding to use DHCP or a pool from the AOVPN server itself.
In previous deployments I've always configured a pool on the servers themselves.

From the MS documentation (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-ras) I can find this :
"You can feasibly assign addresses from either a pool or a DHCP server; however, using a DHCP server adds complexity to the design and delivers minimal benefits."

Are these pros/contra's described somewhere?
If I'm correct a downside of using a DHCP scope is that all clients do not show their FQDN, but the name of the RRAS server.

↧

Always On VPN + remote administration

January 18, 2019, 4:51 am

≫ Next: GERENCIAMENTO DE ACESSO REMOTO VPN NO WINDOWS SERVER 2012 r2 Standard

≪ Previous: RRAS (always On VPN) -> DHCP or static pool on RRAS

Hi,
I'm deploying Always On VPN as a replacement of DirectAccess, and would like to know if it's possible to remotely manage VPN clients as manage-out was configured with direct access.. Or does that work out of the box?

Manage-Out is a Microsoft Direct Access feature that allows administrators inside the enterprise network to connect to Direct Access clients outside the network and manage them (for example, performing administration tasks, such as scheduling service updates, and providing remote support

↧

GERENCIAMENTO DE ACESSO REMOTO VPN NO WINDOWS SERVER 2012 r2 Standard

January 20, 2019, 11:14 am

≫ Next: VPN - Android Client

≪ Previous: Always On VPN + remote administration

criei um gerenciamento de acesso remoto (VPN) no windows server 2012 r2 standard....adicionei os usuários que têm permissão de acessar a rede pelo vpn. abri as portas PPTP 1723 / SSTP 443 no roteador que distribui net para o servidor... tudo certo.. agora quando vou tentar acessar a rede apartir de outra da este erro bendito 806.... lembrando que tem roteador na rede distinta... é preciso configurar algum protocolo neste outro roteador...?

Erro 806: nao foi possivel concluir a conexao vpn entre o computador e o servidor vpn. a causa mais comum dessa falha é qeu pelo ou menos um dispositivo de internet entre o c. omputador e o servidor vpn nao está configurado para permitir pacotes do protocolo GRE.

↧

VPN - Android Client

July 21, 2012, 12:08 pm

≫ Next: VPN Server at home

≪ Previous: GERENCIAMENTO DE ACESSO REMOTO VPN NO WINDOWS SERVER 2012 r2 Standard

Hi . i set up a VPN Server with the defaults settings and it supports all the OS but it has problem with Android devices
is this problem is from the Server or there is somthing wrong with the client ?????

↧

VPN Server at home

January 21, 2019, 12:41 am

≫ Next: AD logon events with two source IP addresses ?

≪ Previous: VPN - Android Client

Hi,

I recently bought my own server for my house, and wanted to play a bit on it.

I now want to make a VPN server on a VM to work at my house from my work.
Can't find any exact tutorials that match my request, I must be blind.

Can anyone provide me this?

Thanks

↧

AD logon events with two source IP addresses ?

January 21, 2019, 7:37 pm

≫ Next: DirectAccess on Windows Server 2016 - IPsec Issues

≪ Previous: VPN Server at home

Hello, I am seeing AD logon events with source multiple address as two separate IP addresses i.e. the address of the Ethernet wired LAN and the address of the wifi NIC.

How could this be happening i.e. receiving a logon event to AD with the two source IP addresses of the same machine at the same time ?

Thank you.

Example (note the two IP source addresses, one for wired and one for wifi NIC 'ip:10.100.5.103:10.90.0.184':

[RECV_EVENT_FROM_DC]packet_len:62 dcagent_ip:10.5.1.62 time:1547863053 data_len:45 data:E7440-CWMLH12.domain.forest/DOMAIN/DaveParker ip:10.100.5.103:10.90.0.184

↧

DirectAccess on Windows Server 2016 - IPsec Issues

January 22, 2019, 3:35 am

≫ Next: 2012 R2 NPS/RADIUS Server. Event ID 4402: There is no domain controller available for the domain.

≪ Previous: AD logon events with two source IP addresses ?

Is anyone experiencing IPsec issues with DirectAccess on Server 2016?

DirectAccess works correctly when it’s not configured to use device certificates. However, the minute device-authentication is enabled the DirectAccess console starts complaining of IPsec issues. It gives the generic IPsec error “IPsec is not working properly.”

Interestingly enough I setup a Server 2012 R2 DirectAcess server and integrated it with the same CA and it works fine. I’ve also got access to a near-identical environment (which IPsec is working with device-certificates however this is on Server 2012). I’ve compared the AD CS and individual root certificate properties and they match in both the working and none working environments.

When device-certificate authentication is enabled the DirectAccess clients partially connect building only the infrastructure tunnel. Both servers are patched as of the beginning of this week.

I built out a similar topology in my lab and it is having exactly the same problem.

I’m quite comfortable that it’s configured correctly, I’m asking if anyone else is seeing the same problems. I know DirectAccess is EOF but the customer gets what the customer wants.

Cheers,

Ryan

↧

2012 R2 NPS/RADIUS Server. Event ID 4402: There is no domain controller available for the domain.

November 12, 2015, 2:00 pm

≫ Next: ESENT Errors (Lots of them)

≪ Previous: DirectAccess on Windows Server 2016 - IPsec Issues

Attempting to replace existing Winidows 2003 RADIUS server with new 2012 R2 NPS/RADIUS Server. RADIUS server used for 2nd Factor SafeWord authentication. All policies and settings replicated to new NPS server. NPS server has been registered w/ AD (child.domain.com).

When testing w/ NTRadPing Utility, continually get response: Access-Reject. Event ID 4402 "There is no domain controller for the domain domain.com" logged in System Log on NPS server.

Unable to locate any reference to issue w/ child domains. Not sure if this error is perhaps a red herring of some sort.

↧

ESENT Errors (Lots of them)

January 24, 2019, 7:48 am

≫ Next: Connect via ip to lab servers behind windows routing and remote access server

≪ Previous: 2012 R2 NPS/RADIUS Server. Event ID 4402: There is no domain controller available for the domain.

This error below is spamming our server. However, I've fixed everything on the server I can think of. The only errors I am getting are ESENT and most of them are the below. SFC /Verifyonly found no corruption.

svchost (504) SoftwareUsageMetrics-Svc: A request to write to the file "C:\Windows\system32\LogFiles\Sum\SystemIdentity.jfm" at offset 0 (0x0000000000000000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (18 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

The server peridoically starts hanging and freezing. Like my CPU is under max load. Where everything is just super slow and laggy. The only way to fix it is to reboot the computer. Unplugging the power for 30 seconds seems to increase the likely hood the server boots into a stable state. However, unsure if it's just chance.

Any ideas? I have run Intel's Diagnostic tool on the CPU and all green. I just don't know here. Dumbfounded.

↧

Connect via ip to lab servers behind windows routing and remote access server

January 24, 2019, 9:13 pm

≫ Next: how often dns clients come to dns server to update their records timemtaps ?

≪ Previous: ESENT Errors (Lots of them)

I have a lab environment set up which uses Windows RRAS as a gateway. I have ports forwarded to machines behind the RRAS server and connections can be made to them successfully. However when I try to connect to those machines using the IP address from my main pc (which is on the same subnet as the WAN nic of the RRAS server) I have been unsuccessful. The main pc is on a different subnet than the lab pc i am trying to connect to so i added a static route to the main pc and i used the wan nic of the RRAS server as the gateway. when i trace route to the lab pc ip the first hop is to the wan nic of the RRAS server but all other hops drop. I think i have to configure the RRAS server for lan to lan routing but i am not sure how to. Any advice would be appreciated.

↧

how often dns clients come to dns server to update their records timemtaps ?

October 20, 2011, 9:21 am

≫ Next: NPS - Can you have network policies for wifi and vpn on same server

≪ Previous: Connect via ip to lab servers behind windows routing and remote access server

hi all

how often dns clients come to dns server to update their records timestamps ?

as we know by default dns server don't allow clients to update their records timestamp till 7 days. but i want to know by default how often they come and contact dns server to update their records timestamp ?

do dns clients try to update their records timestamps in dns server , when they (client) are powerd on and also during reboot?

thanks

↧

NPS - Can you have network policies for wifi and vpn on same server

January 29, 2019, 1:34 am

≫ Next: Top Solutions related to Software Defined Networking (SDN)

≪ Previous: how often dns clients come to dns server to update their records timemtaps ?

Hi all,

Is it possible to have 2 network policies in NPS, one for WiFi and one for VPN on the same server?

I imagine that the network polices might be slightly different??

// Ronnie

↧

Behind firewall can't ping other domain like bing.com,google.com, etc., except our domain "abcd.com"

March 18, 2011, 4:09 am

≫ Next: Find out who created static DNS entry

≪ Previous: Top Solutions related to Software Defined Networking (SDN)

Hello, In our work environment we have windows domain & our windows based servers are located in multiple countries, My question is in our office From inside (Behind Firewall) I can ping only to our domain "abcd.com" But to test when i ping to any other domins like bing.com,google.com, etc., i Iam unable to "ping or do nslookup or Tracert" to other domains. FYI, The firewall was configured long back when i was not there. How can i make changes so that i can "ping or do nslookup or Tracert" other domains like bing.com,google.com etc.,

↧

Find out who created static DNS entry

December 2, 2010, 7:45 am

≫ Next: AlwaysON VPN server behind existing firewall?

≪ Previous: Behind firewall can't ping other domain like bing.com,google.com, etc., except our domain "abcd.com"

Hello,

Can anyone tell me if it's possible to find the date created, time created, and the username that created a static DNS entry? We are trying to use DDNS all the time for DNS registration but there are a couple of IT people that want to create a static entry for everything they do, is it possible to identify the user that created a static entry?

We have a 2008 AD forest in place.

TIA,

Dean

↧

AlwaysON VPN server behind existing firewall?

February 1, 2019, 2:00 am

≫ Next: Always On VPN Device Tunnel. DNS Registration & Manage-Out

≪ Previous: Find out who created static DNS entry

I can not make this server to face Internet directly (existing setup does not allow, not that I would want anyway)

I can only NAT it via existing Firewall.

With port forwarding, that should not be an issue, right?

I know above link is for 2008 and I am doing it on 2019, but I see no reason to be any different

Seb

↧

Always On VPN Device Tunnel. DNS Registration & Manage-Out

October 5, 2018, 1:32 pm

≫ Next: MFA Extension:The request was discarded by a third-party extension DLL file.

≪ Previous: AlwaysON VPN server behind existing firewall?

I have device tunnels configured with the register in DNS option turned on.

The device registers the public IP address of the computer and not the tunnel address assign to it. Why is this and is there something configured incorrectly that could cause this?

Also, While I can ping the tunnel IP address of the user based tunnels I cannot ping the tunnel address of the device. The firewall is turned off.

I have class based routing disabled and I have configured routes to the IP addresses I can trying to ping the device from on the internal network. I also have trafficfilter enabled in the device profile to restrict traffic going over the tunnel to only these same IP addresses on the internal network.

Both user and device tunnels are splittunnel.

Any help would be much appreciated.

↧