Saturday, 22 Dec, 2018  |    3 Comments

 

tl;dr:

The solution, in my specific case, was to:

  • ENABLE TLS-1.0 Server.

This way NPS Secure Wireless Connections (with Domain Username + Password) functionality was restored/Started working again.

 

Intro.

Sometimes troubleshooting an issue could end up becoming a never-ending nightmare.

That was the case in point - I experienced an issue with Network Policy Server (NPS) and 802.1X ("Secure Wireless Connections"), which ended wasting a lot of my "family"-time.

But IT hasn't to be that way - you either love solving puzzles or you don't!

In this specific case, the issue that I had with NPS was that it didn't authenticate "Domain User" + "Password".

Luckily, I remembered what I was working on BEFORE 802.1X stopped working and, more specifically, I was trying to further secure ("micromanage") which Windows Security Protocols were allowed/not allowed (on a Network).

To customise your favourite (allowed vs disallowed) Windows Security Protocols, you'd generally end-up mucking around the Windows Registry (specifically at HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders).

Too much "customisation" (on that specific regkey) paired with Group Policy could have far-reaching damage/unexpected results and/or end-up breaking things that "just work" (say because "you leave stuff at Default").

As an aside, "Default" is "generally good enough for that 80%", but more often than not, it also means "Sub-optimal".

So, long story short, I disabled TLS-1.0 "Server". And NPS Broke.

In other words, "TLS-1.0 Server = DISABLED" negatively affected my User+Password "Secure Wireless Connections" (configured within NPS Server) and prevented 802.1X from working as intended.

Finding the correlation between the two (NPS and TLS), fixed the problem for good (other than being a significant elbow grease exercise)!

 

SYMPTOMS.

The symptoms were dark and arcane.

Luckily I was able to locate the NPS LogFiles (at %SystemRoot%\System32\LogFiles for the uninitiated).

There I found a IN1234.log that assisted w/the troubleshooting.

IF you leave everything at Default (in this case I guess that's a good thing), you'll find entries such as the below:

"NPS-SVR-01","IAS",11/16/2018,00:10:17,1,"[email protected]","PWRUSR.COM\DomainUser","AA-BB-CC-11-22-33:WIRELESS-SSID","11-22-33-AA-BB-CC",,,,"192.168.1.254",0,0,"192.168.1.254","WIRELESS-SSID",,,19,"CONNECT 0Mbps 802.11",,,5,"Secure Wireless Connections",0,"311 1 192.168.1.101 03/15/2016 13:29:10 6",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"NPS-SVR-01","IAS",11/16/2018,00:10:17,11,,"PWRUSR.COM\DomainUser",,,,,,,,0,"192.168.1.254","WIRELESS-SSID",,,,,,,5,"Secure Wireless Connections",0,"311 1 192.168.1.101 03/15/2016 13:29:10 6",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"NPS-SVR-01","IAS",11/16/2018,00:10:17,1,"[email protected]","PWRUSR.COM\DomainUser","AA-BB-CC-11-22-33:WIRELESS-SSID","11-22-33-AA-BB-CC",,,,"192.168.1.254",0,0,"192.168.1.254","WIRELESS-SSID",,,19,"CONNECT 0Mbps 802.11",,,5,"Secure Wireless Connections",0,"311 1 192.168.1.101 03/15/2016 13:29:10 7",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"NPS-SVR-01","IAS",11/16/2018,00:10:17,3,,"PWRUSR.COM\DomainUser",,,,,,,,0,"192.168.1.254","WIRELESS-SSID",,,,,,,5,"Secure Wireless Connections",22,"311 1 192.168.1.101 03/15/2016 13:29:10 7",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

What you are mostly interested in is the Number "22" (reported on the last line).

To enable nice XML Descriptions, proceed as follows ('though bear in mind the below will make you NPS Logs look "harder" to Troubleshoot).

  1. (On NPS MMC Snap-in): Go to Accounting (on the left) and Click on "Change Log File Properties".
  2. Click on "Log File"-Tab.
  3. (In the middle): Locate the "Format"-Dropdown and choose "DTS Compliant".

The above steps will turn ON "verbose logging".

In other words, you'll end-up with entries such as the below example:

<Event><Timestamp data_type="4">11/25/2018 23:14:12.477</Timestamp><Computer-Name data_type="1">NPS-SVR-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">[email protected]</User-Name><NAS-IP-Address data_type="3">192.168.1.254</NAS-IP-Address><NAS-Port data_type="0">0</NAS-Port><Called-Station-Id data_type="1">AA-BB-CC-11-22-33:WIRELESS-SSID</Called-Station-Id><Calling-Station-Id data_type="1">11-22-33-AA-BB-CC</Calling-Station-Id><Framed-MTU data_type="0">1400</Framed-MTU><NAS-Port-Type data_type="0">19</NAS-Port-Type><Connect-Info data_type="1">CONNECT 0Mbps 802.11</Connect-Info><Client-IP-Address data_type="3">192.168.1.254</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WIRELESS-SSID</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">PWRUSR.COM\DomainUser</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">PWRUSR.COM\DomainUser</Fully-Qualifed-User-Name><Class data_type="1">311 1 192.168.1.101 03/17/2016 13:08:17 5</Class><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">11/25/2018 23:14:12.477</Timestamp><Computer-Name data_type="1">NPS-SVR-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.1.101 03/17/2016 13:08:17 5</Class><Session-Timeout data_type="0">60</Session-Timeout><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">192.168.1.254</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WIRELESS-SSID</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">PWRUSR.COM\DomainUser</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">PWRUSR.COM\DomainUser</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">11/25/2018 23:14:12.521</Timestamp><Computer-Name data_type="1">NPS-SVR-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">192.168.1.254</NAS-IP-Address><NAS-Port data_type="0">0</NAS-Port><Called-Station-Id data_type="1">AA-BB-CC-11-22-33:WIRELESS-SSID</Called-Station-Id><Calling-Station-Id data_type="1">11-22-33-AA-BB-CC</Calling-Station-Id><Framed-MTU data_type="0">1400</Framed-MTU><NAS-Port-Type data_type="0">19</NAS-Port-Type><Connect-Info data_type="1">CONNECT 0Mbps 802.11</Connect-Info><Client-IP-Address data_type="3">192.168.1.254</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WIRELESS-SSID</Client-Friendly-Name><User-Name data_type="1">[email protected]</User-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">PWRUSR.COM\DomainUser</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">PWRUSR.COM\DomainUser</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Class data_type="1">311 1 192.168.1.101 03/17/2016 13:08:17 6</Class><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">11/25/2018 23:14:12.521</Timestamp><Computer-Name data_type="1">NPS-SVR-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.1.101 03/17/2016 13:08:17 6</Class><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">192.168.1.254</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WIRELESS-SSID</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">PWRUSR.COM\DomainUser</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">PWRUSR.COM\DomainUser</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">22</Reason-Code></Event>

On the above example, on the last line, you'll notice the "<Reason-Code data_type="0">22</Reason-Code>"

Basically, what you'll have to do is match the Error Reason Code to the respective "meaningful" description (published by Microsoft at https://technet.microsoft.com/en-us/library/dd197464(v=ws.10).aspx).

Below is an extract for future reference:

Reason Code Description
0 The connection request was successfully authenticated and authorized by Network Policy Server.
1 The connection request failed due to a Network Policy Server error.
2 There are insufficient access rights to process the request.
3 The Remote Authentication Dial-In User Service (RADIUS) Access-Request message that NPS received from the network access server was malformed.
4 The NPS server was unable to access the Active Directory Domain Services (AD DS) global catalog. Because of this, authentication and authorization for the connection request cannot be performed, and access is denied.
5 The Network Policy Server was unable to connect to a domain controller in the domain where the user account is located. Because of this, authentication and authorization for the connection request cannot be performed, and access is denied.
6 The NPS server is unavailable. This issue can occur if the NPS server is running low on or is out of random access memory (RAM). It can also occur if the NPS server fails to receive the name of a domain controller, if there is a problem with the Security Accounts Manager (SAM) database on the local computer, or in circumstances where there is a Windows NT directory service (NTDS) failure.
7 The domain that is specified in the User-Name attribute of the RADIUS message does not exist.
8 The user account that is specified in the User-Name attribute of the RADIUS message does not exist.
9 An Internet Authentication Service (IAS) extension dynamic link library (DLL) that is installed on the NPS server discarded the connection request.
10 An IAS extension dynamic link library (DLL) that is installed on the NPS server has failed and cannot perform its function.
16 Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect.
17 The user's attempt to change their password has failed.
18 The authentication method used by the client computer is not supported by Network Policy Server for this connection.
19 Challenge Handshake Authentication Protocol (CHAP) is being used as the authentication method for the connection request, however CHAP is not configured to store a reversibly encrypted form of user passwords.

With CHAP, reversibly encrypted password storage is required. You can enable reversibly encrypted password storage per user account or for all accounts in a domain using Group Policy. To enable reversibly encrypted password storage for a user account, obtain the properties of a user account in AD DS, click the Account tab, and then select the Store password using reversible encryption check box.

To allow reversibly encrypted password storage for all user accounts in the domain, add the Group Policy Management Editor snap-in to the Microsoft Management Console (MMC) and enable the default domain policy setting Store password using reversible encryption at the following path: Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Password Policies.
20 The client attempted to use LAN Manager authentication, which is not supported by Network Policy Server. To enable the use of LAN Manager authentication, see NPS: LAN Manager Authentication.
21 An IAS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
22 Network Policy Server was unable to negotiate the use of an Extensible Authentication Protocol (EAP) type with the client computer.
23 An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. By default, these log files are located at %windir%\System32\Logfiles.
32 NPS is joined to a workgroup and performs the authentication and authorization of connection requests using the local Security Accounts Manager database, however the Access-Request message contains a domain user name. NPS does not have access to a domain user accounts database. The connection request was denied.
33 The user that is attempting to connect to the network must change their password.
34 The user account that is specified in the RADIUS Access-Request message is disabled.
35 The user account that is specified in the RADIUS Access-Request message is expired.
36 The user's authentication attempts have exceeded the maximum allowed number of failed attempts specified by the Account lockout threshold setting in Account Lockout Policy in Group Policy. To unlock the account, obtain the user account properties in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, click the Account tab, and then click Unlock account.
37 According to AD DS user account logon hours, the user is not permitted to access the network on this day and time. To change the account logon hours, obtain the user account properties in the Active Directory Users and Computers snap-in, click the Accounttab, and then click Logon Hours. In the Logon Hours dialog box, configure the days and times when the user is permitted to access the network.

As you may notice (from the above table), Reason Code 22 means "Network Policy Server was unable to negotiate the use of an Extensible Authentication Protocol (EAP) type with the client computer."

Where in the world is that related to TLS-1.0 ? Now that is a good question my friend!

 

PRESCRIPTION(s).

Never a solution has been easier - just add to your registry the below regkeys and Restart - hopefully it'll be all good (feel free to share your comments if that's not the case)!

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" /v Server /t REG_DWORD /d ffffffff /f

# The above command ENABLES TLS 1.0 Server.

 

Note-1 (optional): Once you got the ball rolling, you might as well check the MTU (To make sure it is at its default value of 1500bytes).

netsh interface ipv4 show interface Ethernet

#Review the above command output/Make sure MTU=1500.

 

Note-2 (optional): NPS also uses MPPE for encryption purposes. If you "disabled" that too, then (at least), re-enable RC4-128 Bits:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d ffffffff /f

# The above command ENABLES RC4 128 Bit Encryption.

 

Note-3: Too many Certs (on the NPS Server)? Disable "SendTrustedIssuerList"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

  • Create a new DWORD value SendTrustedIssuerList and set it to 0 (false).

 

Note-4: NPS Performance ISSUEs?

Increase its Number of threads - Set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaxConcurrentApi to 5

 

 

LogFiles info: https://technet.microsoft.com/en-us/library/cc771748%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

2.9/5 - (43 votes)

3 comments on “[SOLVED]Microsoft Network Policy Server (NPS) Error Code 22

  • The reg command wont work like that. Need to specify the /D parameter is hex

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 0xffffffff /f

  • Same with

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" /v Server /t REG_DWORD /d 0xffffffff /f

Comments are closed.