Discussion:
IAS Errors
(too old to reply)
Tim
2008-09-17 21:54:01 UTC
Permalink
I have 8 VPN users authenticating over RADIUS to one of 2 IAS Servers both of
which are domain controllers. Simply put when people succeed and 7 of them
do, the following or similar message gets put in the system log of the IAS
server...

"Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 9/17/2008
Time: 10:46:50 AM
User: N/A
Computer: PDC Emulator & IAS Server computer name
Description:
User jonesm was granted access.
Fully-Qualified-User-Name = internal.domainname/Users/Margaret Jones
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Our Standard RADIUS Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00"

Note the Fully-Qualified-User-Name and correct Policy-Name being present.
The user name smells like DNS being resolved and this makes sense to me.
Now here's what happens to the one user that has 50% success and 50% failure.

"Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/16/2008
Time: 7:43:09 PM
User: N/A
Computer: Same PDC emulator and IAS server computer name
Description:
User doed was denied access.
Fully-Qualified-User-Name = domainnetbiosname\doed
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 36
Reason = The user account is currently locked and cannot be authenticated.
Only a person with administrative rights for either the computer or the
domain can unlock the user account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 75 07 07 80"

Note the netbios resolution and lack of Policy Name. Why in the world would
this happen? No they are not really locked out. The message is absolutely
LYING! Thoughts?
S. Pidgorny <MVP>
2008-09-18 09:07:38 UTC
Permalink
Just assume for a second that the message is not lying and IAS honestly
believe that the user account is locked out.

On both IAS servers, open adsiedit.msc, select properties of the user
object in question, and check the userAccountControl property. From
memory, it should be 4096 - check any other user. If it is different,
set it to the default value.

Yes, I have seen this attribute changed whereas the user could log on
and dsa.msc didn't show the account as locked. The result was exactly
what you're describing - the user couldn't connect to wireless network.
How that happens - don't know.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Tim
I have 8 VPN users authenticating over RADIUS to one of 2 IAS Servers both of
which are domain controllers. Simply put when people succeed and 7 of them
do, the following or similar message gets put in the system log of the IAS
server...
"Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 9/17/2008
Time: 10:46:50 AM
User: N/A
Computer: PDC Emulator & IAS Server computer name
User jonesm was granted access.
Fully-Qualified-User-Name = internal.domainname/Users/Margaret Jones
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Our Standard RADIUS Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 00 00 00 00"
Note the Fully-Qualified-User-Name and correct Policy-Name being present.
The user name smells like DNS being resolved and this makes sense to me.
Now here's what happens to the one user that has 50% success and 50% failure.
"Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/16/2008
Time: 7:43:09 PM
User: N/A
Computer: Same PDC emulator and IAS server computer name
User doed was denied access.
Fully-Qualified-User-Name = domainnetbiosname\doed
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 36
Reason = The user account is currently locked and cannot be authenticated.
Only a person with administrative rights for either the computer or the
domain can unlock the user account.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 75 07 07 80"
Note the netbios resolution and lack of Policy Name. Why in the world would
this happen? No they are not really locked out. The message is absolutely
LYING! Thoughts?
Wayne Tilton
2008-09-18 22:25:26 UTC
Permalink
Post by S. Pidgorny <MVP>
Just assume for a second that the message is not lying and IAS honestly
believe that the user account is locked out.
On both IAS servers, open adsiedit.msc, select properties of the user
object in question, and check the userAccountControl property. From
memory, it should be 4096 - check any other user. If it is different,
set it to the default value.
Yes, I have seen this attribute changed whereas the user could log on
and dsa.msc didn't show the account as locked. The result was exactly
what you're describing - the user couldn't connect to wireless network.
How that happens - don't know.
I, too, have seen this problem and in our case, userAccountControl was
528 (UF_NORMAL_ACCOUNT+UF_LOCKOUT) but ADU&C showed it normal and the
user could logon normally with a wired connection, they just couldn't get
logged on via EAP/TLS. Changed 528 to 512 and they are happy wireless
users again.

HTH,

Wayne Tilton
Tim
2008-11-06 17:31:01 UTC
Permalink
No good. Al of them on both IAS servers were already set to 512 including
the 1 person having the problem specified.
Post by Wayne Tilton
Post by S. Pidgorny <MVP>
Just assume for a second that the message is not lying and IAS honestly
believe that the user account is locked out.
On both IAS servers, open adsiedit.msc, select properties of the user
object in question, and check the userAccountControl property. From
memory, it should be 4096 - check any other user. If it is different,
set it to the default value.
Yes, I have seen this attribute changed whereas the user could log on
and dsa.msc didn't show the account as locked. The result was exactly
what you're describing - the user couldn't connect to wireless network.
How that happens - don't know.
I, too, have seen this problem and in our case, userAccountControl was
528 (UF_NORMAL_ACCOUNT+UF_LOCKOUT) but ADU&C showed it normal and the
user could logon normally with a wired connection, they just couldn't get
logged on via EAP/TLS. Changed 528 to 512 and they are happy wireless
users again.
HTH,
Wayne Tilton
Loading...