Event ID 6273 — NPS Authentication Status

Applies To: Windows Server 2008

When Network Policy Server (NPS) is configured as a RADIUS server, it performs authentication, authorization, and accounting for connection requests received from configured RADIUS clients. If authentication and authorization are successful, users and computers are granted access to the network resources for which they have permissions.

Event Details

Product: Windows Operating System
ID: 6273
Source: Microsoft-Windows-Security-Auditing
Version: 6.0
Symbolic Name: SE_AUDITID_ETW_NPS_RESPONSE_REJECT
Message: Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
%tSecurity ID:%t%t%t%1
%tAccount Name:%t%t%t%2
%tAccount Domain:%t%t%t%3
%tFully Qualified Account Name:%t%4

Client Machine:
%tSecurity ID:%t%t%t%5
%tAccount Name:%t%t%t%6
%tFully Qualified Account Name:%t%7
%tOS-Version:%t%t%t%8
%tCalled Station Identifier:%t%t%9
%tCalling Station Identifier:%t%t%10

NAS:
%tNAS IPv4 Address:%t%t%11
%tNAS IPv6 Address:%t%t%12
%tNAS Identifier:%t%t%t%13
%tNAS Port-Type:%t%t%t%14
%tNAS Port:%t%t%t%15

RADIUS Client:
%tClient Friendly Name:%t%t%16
%tClient IP Address:%t%t%t%17

Authentication Details:
%tProxy Policy Name:%t%t%18
%tNetwork Policy Name:%t%t%19
%tAuthentication Provider:%t%t%20
%tAuthentication Server:%t%t%21
%tAuthentication Type:%t%t%22
%tEAP Type:%t%t%t%23
%tAccount Session Identifier:%t%t%24
%tReason Code:%t%t%t%25
%tReason:%t%t%t%t%26

Diagnose

This error might be caused by one of the following conditions:

  • The user does not have valid credentials
  • The connection method is not allowed by network policy
  • The network access server is under attack
  • NPS does not have access to the user account database on the domain controller
  • NPS log files or the SQL Server database are not available

To perform these procedures, you must be a member of Domain Admins.

User does not have valid credentials

  1. Use the information provided in Event Viewer to determine whether the authentication method that applies to the user connection is password- or certificate-based.
  2. If a password-based authentication method is used, confirm that the user and is typing the correct credentials (user name and password). 
  3. If a certificate-based authentication method is used, examine the user or computer certificate to confirm that the user is providing the correct certificate for authentication. To examine certificates on the local computer:
    1. Click Start, click Search, type mmc, and then press ENTER. The Microsoft Management Console (MMC) opens.
    2. Click File, and then click Add/Remove Snap-in. The Add or Remove Snap-in dialog box opens.
    3. Click Certificates, and then click Add.
    4. The Certificates snap-in dialog box opens. Click Finish to add the snap-in for the user certificates store to the MMC.
    5. In the Add or Remove Snap-in dialog box, click Add. The Certificates snap-in dialog box opens. Click Computer account, click Next, click Finish, and then click OK to add the snap-in for the computer certificates store to the MMC.
    6. Double click Certificates - Current User or Certificates - Local Computer to browse the certificate store. When you locate the user or computer certificate that you want to examine, double-click the certificate to open it.
    7. Use the "Certificate Requirements for PEAP and EAP" in the NPS Help on the Windows Server 2008 Technical Library at https://go.microsoft.com/fwlink/?LinkId=101491 to make sure that the certificate meets the minimum client certificate requirements.
  4. Use the information provided in Event Viewer to check that the user or computer credentials have not expired.
  5. If valid credentials were not used, see the section titled "Provide the user with valid credentials."

Connection method is not allowed by network policy

  1. Make sure that the user is authorized to connect to the network through a network access server that meets the requirements of network policy. For example, if the user is only allowed to connect through a wireless access point but is attempting to connect through a virtual private network (VPN) server, access will be denied. To view configured network policies:
    1. Click Start, Administrative Tools, Network Policy Server. The NPS MMC opens. 
    2. In the NPS console, double-click Policies, and then click Network Policies.
    3. In the upper details pane, double-click the network policy you want to view.
  2. If the connection method is not allowed by network policy, see the section titled "Add or change a connection method."

Network access server is under attack

  1. Check the NPS log file to determine whether there have been a large number of authentication failures from the same network access server; this can be a symptom of an attack in which a malicious user attempts to gain access by providing different passwords with each access attempt. The default log file location is %Systemroot%\system32\LogFiles.
  2. If the server is under attack, see the section titled "Respond to a server attack."

NPS does not have access to the user accounts database on the domain controller

  1. Check that the domain controller is online.
  2. Check that network connections between the domain controller and NPS are working. To fix network connectivity issues:
    1. Confirm that all routers, switches, and hubs between the NPS server and the domain controller are working.
    2. Make sure that Internet Protocol security (IPsec) policies are configured to allow traffic between the two servers.
    3. Confirm that the server running NPS has an IP address and is physically connected to the network.
  3. If your domain controller is running Active Directory Domain Services (AD DS) and NPS does not have access to the user accounts database, see the section titled "Enable NPS access to the user account database."
  4. If you are using a RADIUS extension dynamic link library (DLL) and a domain controller other than AD DS, use your domain controller documentation to determine how to provide user account database access to the RADIUS extension DLL.

NPS log files or the SQL Server database are not available

  1. If NPS is configured to record accounting information in a log file on the local computer or a remote computer, check that the hard disk is not full. The default log file location is %Systemroot%\system32\LogFiles.
  2. If NPS is configured to record accounting information to a SQL Server database, check that network connections between the computer running SQL Server and NPS are working. To check the SQL Server connection in NPS:
    1. Click Start, Administrative Tools, Network Policy Server. The NPS MMC opens.
    2. In the console tree, click Accounting.
    3. In the details pane, click Configure SQL Server Logging.
    4. In SQL Server Logging, click Data Source.
    5. In Data Link Properties, click Test Connection.
  3. If NPS log files or the SQL server database are not available, see the section titled "Enable log file or SQL Server availability."

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

The user does not have valid credentials

Provide the user with valid credentials

The connection method is not allowed by network policy

Add or change a connection method

The network access server is under attack

Respond to a server attack

NPS does not have access to the user account database on the domain controller

Enable NPS access to the Active Directory user account database

NPS log files or the SQL Server database are not available

Enable log file or SQL Server availability

Provide the user with valid credentials

To perform this procedure, you must be a member of Domain Admins.

To provide the user with valid credentials:

  1. If a user has forgotten his or her password, provide the user with a new, temporary password, and then allow the user to change it.
  2. If the user has an expired certificate or a certificate that is not valid for other reasons, revoke the certificate and issue a new one.

For more information, see Active Directory Domain Services documentation at https://go.microsoft.com/fwlink/?LinkId=96418 and Active Directory Certificate Services documentation at https://go.microsoft.com/fwlink/?LinkId=101450.

 

 

Add or change a connection method

If the user is attempting to connect with a connection method that is not allowed, either tell the user how to connect to the network using a supported method or provide the user with access using another method.

To add or change a network connection method in a network policy that grants access, you can configure the NAS-Port-Type condition.

To perform this procedure, you must be a member of Domain Admins.

To configure the NAS-Port-Type condition:

  1. Click Start, Administrative Tools, Network Policy Server. The NPS MMC opens.
  2. In the NPS console, double-click Policies, and then click Network Policies.
  3. In the upper details pane, double-click the network policy to which you want to add a condition, and then click the Conditions tab. Click Add.
  4. In Select condition, browse to the Gateway conditions group, click NAS Port Type, and then click Add.
  5. In NAS Port Type, specify the access media types through which you want to grant access to the user, and then click OK.

Respond to a server attack

To perform this procedure, you must be a member of Domain Admins.

To respond to a server attack:

  1. Examine NPS log files to identify the IP address of the computer that is hosting the attack on your network. The default log file location is %Systemroot%Windows\system32\LogFiles.
  2. If the computer is internal, disable it. If the computer hosting the attack is external and you can determine the owner of the server through the domain name, contact the server administrator.

For more information about protecting your network, see the security guidance provided in Security and Protection documentation at https://go.microsoft.com/fwlink/?LinkID=93803.

Enable NPS access to the Active Directory user account database

To perform this procedure, you must be a member of Domain Admins.

To enable connections between NPS and the Active Directory user account database:

  1. Ensure that the network adapter of the server running NPS is working. If the Ethernet cable is not plugged into the adapter, plug it in. If the network adapter is not working, replace it. To check if the network adapter is working:
    1. Click Start, then right-click Computer. Click Manage. The Computer Management console opens.
    2. Click Device Manager.
    3. In the details pane, browse to and double-click Network adapters to expand the list of network adapters installed in the local computer.
    4. Double-click the network adapter you want to check. The network adapter Properties dialog box opens. In Device status, if the network adapter is functioning correctly, the statement This device is working properly appears.
  2. Check that the domain controller is connected to the network.
  3. Test routers and other links and possible points of failure between the server running NPS and the domain controller.
  4. If there are hardware failures between NPS and the domain controller, replace hardware as needed and design another path between the two servers to provide connectivity failover.

Enable log file or SQL Server availability

To perform this procedure, you must be a member of Domain Admins.

To enable log file or SQL Server availability:

  1. Ensure that the network adapter for the server running NPS is working. If the Ethernet cable is not plugged into the adapter, plug it in. If the network adapter or cable are not working, replace the hardware as needed.
  2. Check that the computer running SQL Server is connected to the network and working.
  3. Test routers and other links and possible points of failure between the server running NPS and the SQL Server database.
  4. If there are hardware failures between NPS and SQL Server, replace hardware as needed and design another network path between the two servers to provide connectivity failover.
  5. If you are logging to a local hard disk and the disk is full, either delete content or install a larger hard disk to handle the accounting data. The default NPS log file location is %Systemroot%Windows\system32\LogFiles.

Verify

To verify that users can be authenticated:

  • On a computer that is configured according to network access policy, log on to the network with a valid user account and valid credentials.

NPS Authentication Status

Network Policy Server Infrastructure