Windows server 2016 RADIUS server IAS_AUTH_FAILURE

davobo 116 Reputation points
2021-01-02T21:43:41.98+00:00

Hi,

I had a working setup for RADIUS server on windows server 2016 and could successfully authenticate from mikrotik router, but for some reason it stopped working. The message I get from event viewer for NPS server is:

Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an
existing user account or the password was
I have looked in IN file log for some extra information and it says:

Reason-Code: IAS_AUTH_FAILURE

I'm using MS-CHAPv2 authentication in network policy.

I cannot pinpoint if it happen after some certificate expired or after routine password update which is mandated by AD (maybe it has nothing to do with this). Really don't know where to look further. Any suggestions where to look or what to check is welcome.

I know that this isn't a lot of information but I'll be happy to provide it in order to debug this.

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
560 questions
{count} votes

Accepted answer
  1. davobo 116 Reputation points
    2021-01-06T15:16:34.783+00:00

    Hi,

    Sunny and Gary thank you for the time and suggestions, but I have found the root cause of this issue.

    One thing that lead me to look in another direction were Security logs. In there I had few audit failure logs. One with event ID 4625 and another with event ID 6273. Search for solution of ID 4625 took me to following forum thread:

    https://serverfault.com/questions/608227/authentication-via-radius-mschapv2-error-691

    It turned out that I was facing the same issue and it's also documented on microsoft pages:

    https://learn.microsoft.com/en-gb/troubleshoot/windows-server/networking/lt2p-ipsec-ras-vpn-connections-fail

    As NTLMv1 was disabled the server was rejecting MS-CHAPv2 requests. To be more precise, when "Network security: LAN Manager authentication level" option is set to "Send NTLMv2 response only. Refuse LM & NTLM", located under Local Security Policy -> Local Policies -> Security Options, the server was rejecting requests. Once I reduced this to "Send NTLMv2 response only" I could normally logon to mikrotik using radius.

    A brief summary is that MS-CHAPv2 needs NTLMv1.

    Now this brings me to another question. Under Security Options there are policies that allow exceptions to specific servers regarding this rules, but setting mikrotik router under exceptions didn't allow me to login when "Send NTLMv2 response only. Refuse LM & NTLM" is defined.
    Is there a way to use "Send NTLMv2 response only. Refuse LM & NTLM" option but allow NTLMv1 to some servers?

    Also, on aforementioned microsoft page there's a suggested solution in which I should define new parameter "Enable NTLMv2 Compatibility" under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy. This approach didn't work with defined "Send NTLMv2 response only. Refuse LM & NTLM" option.


4 additional answers

Sort by: Most helpful
  1. Sunny Qi 11,061 Reputation points Microsoft Vendor
    2021-01-04T08:54:08.813+00:00

    Hi,

    Thanks for posting in Q&A platform.

    Based on my experience, I assume the Event ID is 6273 with reason code 16. Please correct me if my understanding I wrong.

    This error might be caused by one of the following conditions:

    The user does not have valid credentials
    The connection method is not allowed by network policy
    The network access server is under attack
    NPS does not have access to the user account database on the domain controller
    NPS log files or the SQL Server database are not available

    Please refer to troubleshooting steps in the following articles:

    Event ID 6273 — NPS Authentication Status

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. davobo 116 Reputation points
    2021-01-05T06:46:39.393+00:00

    Hi Sunny,

    thanks for suggestion and you are right regarding the Event Id and reason code.

    I'll try to address each point individually.

    1. The user does not have valid credentials
      The same user which I'm trying to connect to Mikrotik router using Radius, successfully logs in to domain PC and to remote PC over RDC.
      So I think that this can be ruled out.
      MS-CHAPv2 is used. PEAP and EAP are not defined, so there shouldn't be any problems regarding certificates.
    2. The connection method is not allowed by network policy
      Only two rules are located in network policy (under Conditions):
      "User Groups" - user is a member of set group
      "Client Friendly Name" - name defined here is same as in mikrotik router
      Since I haven't defined any restrictions this should be ok, or am I overlooking something?
    3. The network access server is under attack
      Based on logs, there are only failed attempts which were mostly from troubleshooting.
    4. NPS does not have access to the user account database on the domain controller
      This also can be ignored since NPS and AD are on the same PC
    5. NPS log files or the SQL Server database are not available
      NPS log files are set to default location - %Systemroot%\system32\LogFiles
      SQL server logging isn't configured

    Maybe this information can be helpful. I see that there is some difference between old successful authentication request and new ones that fail:
    Old log contains NP-Policy-Name field:
    53543-image.png

    In new requests this field is missing:
    53544-image.png

    Is there a way to test each component of NPS individually (connection, policy, users rights ...) or some tool that can help in troubleshooting ?


  3. Sunny Qi 11,061 Reputation points Microsoft Vendor
    2021-01-06T07:55:02.167+00:00

    Hi @davobo

    Thank you very much for your feedback.

    If the issue still existed, I would suggest to collect network traffic via Network Monitor when reproduced the issue to find the cause of Authentication failed. You could download the tool from the following link:

    https://www.microsoft.com/en-sg/download/details.aspx?id=4865

    However, please understand that analysis of network traffic is beyond our platform support level.

    If you want to further analyze the network trace, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

    You may find phone number for your region accordingly from the link below:

    Global Customer Service phone numbers

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Victor Lopes 6 Reputation points
    2022-06-14T13:29:09.787+00:00

    Sorry to reply on an old post, but a similar issue has resurfaced after a recent update, and events 4625 and 6273 appearing consecutively on the Security logs of your NPS server could also mean a certificate mapping issue. If you use EPA-TLS ("Microsoft: Smart Card or other certificate" as your EAP authentication type) then probably NTLM versions won't affect you. See this other post: nps-stopped-working-after-may-2022-updates.html

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.