I have a user that keeps getting their Active Directory account locked out. The problem is Windows 7 keeps sending their credentials to the NPS (server 2008 r2) server with a NULL SID. I keep getting event id 6273 Audit Failure. The log looks like this:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: DOMAIN\samAccountName
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\samAccountName
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B866D59F4
Calling Station Identifier: C018851BCC83
NAS:
NAS IPv4 Address: 10.10.16.31
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: RADIUSSERVER.domain.lan
Client IP Address: 10.10.16.32
Authentication Details:
Connection Request Policy Name: Aruba Policy - Indi North
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPSSERVER.domain.lan
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the SQL data store.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
However on an audit success I get a log entry that looks like this:
Network Policy Server granted access to a user.
User:
Security ID: DOMAIN\samAccountName
Account Name: samAccountName
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN.lan/ou/ou/FirstName LastName
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B866D59F4
Calling Station Identifier: 3CE072980D99
NAS:
NAS IPv4 Address: 10.10.16.31
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: RADIUSSERVER.DOMAIN.lan
Client IP Address: 10.10.16.32
Authentication Details:
Connection Request Policy Name: Aruba Policy - DOMAIN North
Network Policy Name: Aruba Network Policy
Authentication Provider: Windows
Authentication Server: NPSSERVER.DOMAIN.lan
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the SQL data store.
Quarantine Information:
Result: Full Access
Session Identifier: -
I have a group based grant access network policy enabled on the NPS so when there is no SID to check it denies access. I just need to figure out why Windows 7 isn't sending a SID