Join us June 17–18 for a deep dive into Copilot Control System—live expert-led sessions and Q&A on data security, agent lifecycle, adoption, and more! Learn more >

computer authentication

2 Topics

Connect a Workgroup device on 802.1x Network with NPS
We have an 802.1X-secured Wi-Fi network using EAP-TLS authentication with machine certificates. Domain-joined devices connect and authenticate successfully. However, we have a scenario where some non-domain (Workgroup) Windows 11 devices must connect to this network — and they fail to authenticate. What we've tested so far: User Certificate Approach: Created a duplicate of the User certificate template. Set Compatibility to Windows Server 2008 (to enable key storage provider support). Set Application Policies to include only Client Authentication. Set Subject Name to Supply in the request. During enrollment, we ensured the UPN in the certificate matches the AD user's UPN (e.g., mailto:user@domain). We verified the certificate appears under Published Certificates in the AD user's account. Machine Certificate Approach: Created a certificate with: CN=host/hostname.domain.local in the Subject DNS=hostname.domain.local in the SAN Client Authentication EKU Ensured the certificate is installed in the Local Machine store with private key. In AD: Created a Computer object matching the machine name. Added the ServicePrincipalName (SPN): host/hostname.domain.local Added altSecurityIdentities: "X509:<i>CN=CA Name,DC=domain,DC=local<s>CN=host/hostname.domain.local</s></i>" What we observe in NPS Event Viewer: Each connection attempt from a Workgroup machine — even with valid certificate, and proper mapping — results in: Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. We also ensured that: NPS has a valid certificate with Server Authentication EKU The authentication method used is Microsoft: Smart card or other certificate (EAP-TLS) The policies are configured for certificate-based authentication only The question How can we make NPS map a client certificate (from a non-domain device) to a user or computer account in Active Directory, so that authentication succeeds? Are there additional requirements for altSecurityIdentities, or limitations for Workgroup clients that we're missing?
AndreITQ
May 20, 2025 Place Windows Server for IT Pro
45Views
0likes
0Comments
Windows 11 clients cannot authenticate to NPS server using computer authentication
We have a Windows server 2019 datacenter server running NPS. Our WiFi Office clients authenticate to this server for access to the corporate WiFi network. We use computer authentication, so members of the "domain computers" group are allowed access in the policy (we only want domain computers on this network and we don't want users to need to enter their user credentials). We use GPO to provision a WiFi profile to the domain computers, in which we configure that computer authentication is needed. Our Windows 10 clients (literally all of them) are connecting nicely (I have anonimized the event log for security purposes: Network Policy Server granted access to a user. User: Security ID: DOMAIN\COMPUTER$ Account Name: host/COMPUTER.domain.nl Account Domain: DOMAIN Fully Qualified Account Name: DOMAIN\COMPUTER$ Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: xx-xx-xx-xx-xx-xx:SSID Calling Station Identifier: XX-XX-XX-XX-XX-XX NAS: NAS IPv4 Address: x.x.x.x NAS IPv6 Address: - NAS Identifier: AP01 NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 1 RADIUS Client: Client Friendly Name: SonicPoint HQ 1 Client IP Address: x.x.x.x Authentication Details: Connection Request Policy Name: NAP 802.1X (Wireless) Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable Authentication Provider: Windows Authentication Server: NPS.DOMAIN.nl Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: "edited" Logging Results: Accounting information was written to the local log file. When a Windows 11 client (all of them actually) tries to connect, we see the following logged (again, anonimized): Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: NULL SID Account Name: host/COMPUTER.domain.nl Account Domain: DOMAIN Fully Qualified Account Name: DOMAIN\COMPUTER$ Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: XX-XX-XX-XX-XX-XX:SSID Calling Station Identifier: XX-XX-XX-XX-XX-XX NAS: NAS IPv4 Address: x.x.x.x NAS IPv6 Address: - NAS Identifier: AP01 NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 1 RADIUS Client: Client Friendly Name: SonicPoint HQ 1 Client IP Address: x.x.x.x Authentication Details: Connection Request Policy Name: NAP 802.1X (Wireless) Network Policy Name: - Authentication Provider: Windows Authentication Server: NPS.domain.nl Authentication Type: PEAP EAP Type: - Account Session Identifier: "edited" Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. The only real difference I see is that for the Windows 11 client, NULL SID is provided as "Security ID". Could it be that this is causing NPS to not be able to verify that the machine that is attempting to connect is a member of the security group which is allowed to connect (the default group "Domain Computers")? Looking forward to either a quick bug fix or a configuration change I need to make. Maybe other Windows Server admins are also experiencing this issue?
Solved
PaulvDam
Mar 07, 2025 Place Windows Server for IT Pro
156KViews
2likes
19Comments