Is there any steps or guidelines on how to setup/configure NPS for multi-forest (two-way trust) environment? Tried to look for the details but couldn't find any. Hopefully someone here could assist me with the following as well: Do I need each network policy for each of the forest? The setup is for PEAP-MSCHAP-V2, so do I need to import CA cert into the NPS server from each of the forests? Can one network policy contain multiple CA cert? If we have to import CA cert from each forests does it means that we will need multiple network policies as well? Sorry this is my first time setting up NPS for multi forest, please forgive me if these are stupid questions.

Hi @Marcus Wong Theen Nam , Yes, in theory, your thoughts are right. Based on my discussion with my colleagues, you need one NPS server in multi-forest (two-way trust) environment. If you setup PEAP-MSCHAP-V2, NPS server should have CA certs from each of the forests. That's to say, you need multiple network policies that contain different CA cert from each of the forests. Best Rehards, Candy -------------------------------------------------------------- If the Answer is helpful, please click " Accept Answer " and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Hi @Candy Luo , For the third point I'm a bit confusing as it stated I must use a RADIUS proxy for authentication across forests if that consists of Windows Server 2008 and Windows Server 2003 domains. If my domain/forest functional level is 2008 R2 or 2012 do I need the RADIUS proxy as well?

Hi @Marcus Wong Theen Nam , For certificate authentication, you need to configure 4 NPS server for each forest： One NPS RADIUS server in the abc.com forest, import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io), add all RADIUS clients and create 4 network policies with each CA certs. One NPS both act as a RADIUS server and a RADIUS proxy in the abc.local, one network policy for own domain. One NPS both act as a RADIUS server and a RADIUS proxy in the abc.xyz, one network policy for own domain. One NPS both act as a RADIUS server and a RADIUS proxy in the abc.io, one network policy for own domain. For how to configure NPS proxy: Use NPS proxy and rely on the realm name to forward the RADIUS request to the right NPS server (the one that belongs to abc.com). https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-realm-names https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy What needs to be configured on NPS: Create Remote Radius Server group with the NPS server for the abc.com domain. Create a new Connection Request Policy. Condition is to match the realm on the username with format *@domain.com (e.g. * @jaswant .local) Authentication is forwarded to the previous created Remote RADIUS server group: Best Regards, Candy -------------------------------------------------------------- If the Answer is helpful, please click " Accept Answer " and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Hi, Just wondering is it necessary to configure NPS as RADIUS server on each forests? I thought we would just need 1 NPS RADIUS server and the other should be NPS Proxy? Yes, 1 NPS RADIUS server and the other should be NPS Proxies are enough. I need to correct one place, don't add all RADIUS clients to NPS RADIUS server in the abc.com forest. The configuration should as below: One NPS RADIUS server in the abc.com forest, import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io), create 4 network policies with each CA certs. One RADIUS proxy in the abc.local forest, add radius client from own domain. One RADIUS proxy in the abc.xyz forest, add radius client from own domain. One RADIUS proxy in the abc.io forest, add radius client from own domain. Best Regards, Candy

Setup Microsoft NPS as RADIUS server for multi-forest AD (Two Way Trust Relationships)

Marcus Wong Theen Nam 1,111

Is there any steps or guidelines on how to setup/configure NPS for multi-forest (two-way trust) environment? Tried to look for the details but couldn't find any. Hopefully someone here could assist me with the following as well:

Do I need each network policy for each of the forest?
The setup is for PEAP-MSCHAP-V2, so do I need to import CA cert into the NPS server from each of the forests?
Can one network policy contain multiple CA cert? If we have to import CA cert from each forests does it means that we will need multiple network policies as well?

Sorry this is my first time setting up NPS for multi forest, please forgive me if these are stupid questions.

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-11T01:21:15.773+00:00

Just want to confirm the current situations. You could accept the useful reply as answer if you want to end this thread up.  It will encourage the person who help you. Appreciate your understanding. :)

If there is anything else I can do for you, please feel free to post in the forum.

4 answers

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-09T07:51:52.777+00:00

Hi @Marcus Wong Theen Nam ,

Yes, in theory, your thoughts are right.

Based on my discussion with my colleagues, you need one NPS server in multi-forest (two-way trust) environment. If you setup PEAP-MSCHAP-V2, NPS server should have CA certs from each of the forests. That's to say, you need multiple network policies that contain different CA cert from each of the forests.

Best Rehards,
Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Marcus Wong Theen Nam 1,111 Reputation points

2021-06-09T08:02:52.03+00:00

Hi @Candy Luo ,

Thanks for your reply.

According to your reply:

Meaning I only install 1 NPS RADIUS server in the multi forest environment? Lets say I have abc.com, abc.local, abc.xyz, abc.io. I only have to install one NPS server in abc.com forest right?

According to your answer about the CA certs and network policies, meaning from NPS server I have to request certificate and issue it to the NPS server from all the forest CA? Then create total of 4 network policies for each of the forests with different CA certs accordingly? How about the network policies processing order? Will it affect anything?

Is there a need to install NPS Proxy?

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-09T08:37:59.337+00:00

YES.

YES. The order of network policies should not have much impact.

From Microsoft official document, it seems you need to use a Radius proxy if you use EAP-TLS or PEAP-TLS with certificates:

For your reference:

NPS as a RADIUS Server and Proxy
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Marcus Wong Theen Nam 1,111 Reputation points

2021-06-09T09:23:12.897+00:00

Hi @Candy Luo ,

For the third point I'm a bit confusing as it stated I must use a RADIUS proxy for authentication across forests if that consists of Windows Server 2008 and Windows Server 2003 domains. If my domain/forest functional level is 2008 R2 or 2012 do I need the RADIUS proxy as well?
Please sign in to rate this answer.
Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-09T09:35:46.683+00:00

Yes, no matter the functional level, you still need to use RADUIS proxy servers that forward authentication requests to the appropriate forest, even when the forests have a two-way, transitive trust relationship.

The reason is that without Radius Proxy, the SPN (Service Principal Name) lookup in AD does not work. When the NPS server receives the computer identity, it is in the form of an SPN (host/ComputerName.DNSDomainName). The NPS server passes the SPN to the local global catalog. If the global catalog is unable to match the SPN to a local domain account, it will fail the request with a No Valid Account Found error condition.

Marcus Wong Theen Nam 1,111 Reputation points

2021-06-09T09:54:38.597+00:00

In that case I would have to deploy it as below?

One NPS RADIUS server in the abc.com forest

Import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io)

Add all RADIUS clients and create 4 network policies with each CA certs

Setup one NPS RADIUS proxy (Where should we place this server? Can it be on the same subnet/forest as NPS RADIUS server? )

Thank you.

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-09T10:06:28.023+00:00

The best recommended configuration for cross forest/domain authentication scenario will be to configure NPS Proxy on individual forest environment which helps to authenticate users successfully.
The detailed steps I will send you tomorrow.

Marcus Wong Theen Nam 1,111 Reputation points

2021-06-09T10:09:48.307+00:00

Ok @Candy Luo , will wait your update and thanks a lot for your assistance.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-10T02:21:24.03+00:00
Hi @Marcus Wong Theen Nam ,

For certificate authentication, you need to configure 4 NPS server for each forest：

One NPS RADIUS server in the abc.com forest, import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io), add all RADIUS clients and create 4 network policies with each CA certs.

One NPS both act as a RADIUS server and a RADIUS proxy in the abc.local, one network policy for own domain.

One NPS both act as a RADIUS server and a RADIUS proxy in the abc.xyz, one network policy for own domain.

One NPS both act as a RADIUS server and a RADIUS proxy in the abc.io, one network policy for own domain.

For how to configure NPS proxy:

Use NPS proxy and rely on the realm name to forward the RADIUS request to the right NPS server (the one that belongs to abc.com).

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-realm-names

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy

What needs to be configured on NPS:

Create Remote Radius Server group with the NPS server for the abc.com domain.

Create a new Connection Request Policy.

Condition is to match the realm on the username with format *@domain.com (e.g. *@jaswant .local)

Authentication is forwarded to the previous created Remote RADIUS server group:

Best Regards,
Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Marcus Wong Theen Nam 1,111 Reputation points

2021-06-10T04:05:30.98+00:00

Hi @Candy Luo ,

Thanks for the detail steps. Just wondering is it necessary to configure NPS as RADIUS server on each forests? I thought we would just need 1 NPS RADIUS server and the other should be NPS Proxy?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-10T06:37:47.603+00:00
Hi,

Just wondering is it necessary to configure NPS as RADIUS server on each forests? I thought we would just need 1 NPS RADIUS server and the other should be NPS Proxy?

Yes, 1 NPS RADIUS server and the other should be NPS Proxies are enough. I need to correct one place, don't add all RADIUS clients to NPS RADIUS server in the abc.com forest. The configuration should as below:

One NPS RADIUS server in the abc.com forest, import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io), create 4 network policies with each CA certs.

One RADIUS proxy in the abc.local forest, add radius client from own domain.

One RADIUS proxy in the abc.xyz forest, add radius client from own domain.

One RADIUS proxy in the abc.io forest, add radius client from own domain.

Best Regards,
Candy
Please sign in to rate this answer.
Marcus Wong Theen Nam 1,111 Reputation points

2021-06-10T06:46:53.853+00:00

Hi @Candy Luo ,

Just two last question, from the NPS proxy do we need to configure the network policy? As I know we don't have to create network policy in NPS proxy, so in this case we just have to add in the RADIUS client from each forest into the NPS proxy accordingly right? Please correct me if I'm wrong.

Other than adding the NPS proxy in each forest is there any other ways that we can achieve the deployment without NPS proxy? I've came across this discussion and it mentioned to configure "Selective Authentication Trust", is this feasible as well for two way trusts?

Thank you.

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-10T07:05:24.743+00:00

YES. Youd don't need to configure the network policy. If you want to use one NPS server in the multiple forest, then you need NPS proxy to forward the RADIUS request to the that NPS server.

As far as I know, for certificate authentication, you must need NPS proxy.

In fact, there is no Microsoft official document talking about the detailed deployment for NPS across multiple forest. The above conclusions are based on our experience and discussion with my colleagues and some internal resource.

If you want to learn more details, you might consider opening an Advisory case to our Premier support team, they will have more resource to answer your question in detailed information.

For more information about our Premier support, please check the following link:

https://www.microsoft.com/en-us/microsoftservices/support.aspx

Hope this can help with you.

Marcus Wong Theen Nam 1,111 Reputation points

2021-06-11T07:24:25.15+00:00

Hi Candy,

Noted on the information given and thanks a lot for your kind assistance:)

Thank you.

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-11T07:30:37.123+00:00

You are welcome！Have a wonderful day! :)

Marcus Wong Theen Nam 1,111 Reputation points

2021-06-14T06:35:29.537+00:00

Hi @Candy Luo ,

Just to reopen this discussion as I am currently doing some testing in my test lab for NPS RADIUS with cross forest authentication with PEAP-MSCHAP-V2. However, I'm not able to get authenticated with the second forest, please refer to the following diagram:

May I know from here on where should I add the NPS proxy to make it work? Currently there are only 1 NPS network connection policy & 1 NPS network policy.

Thank you.

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-14T07:31:30.66+00:00

Try to add a NPS server in testlab. local domain and then add NPS proxy on malab.local to forward NPS request. See if this can work.

Or

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-16T07:58:56.137+00:00

Did you have any updates?

Marcus Wong Theen Nam 1,111 Reputation points

2021-06-16T08:13:13.117+00:00

Hi Candy,

I've tried to add proxy to forward the connection but still not able to authenticate. So far what I've added was a connection request policy in the NPS proxy to forward the authenticate request to NPS RADIUS server at testlab.local. On the NPS RADIUS server at testlab.local I still need to add the RADIUS client (VPN server) and also a connection request policy & network policy?

Candy Luo 12,701 Reputation points Microsoft Vendor

2021-06-16T08:25:19.527+00:00

On the NPS RADIUS server at testlab.local I still need to add the RADIUS client (VPN server) and also a connection request policy & network policy?

If all your radius clients point to the NPS RADIUS server at mylab.local domain, then on the NPS RADIUS server at testlab.local , you don't need to add the RADIUS client (VPN server), but you still need to configure connection request policy & network policy.

Marcus Wong Theen Nam 1,111 Reputation points

2021-06-16T09:06:50.533+00:00

Hi @Candy Luo ,

I'm using the first design that you suggested to me which is to add another RADIUS server in testlab.local. So as per your respond, I just need to configure the connection request policy & network policy on the new RADIUS server in testlab.local will be enough?

Marcus Wong Theen Nam 1,111 Reputation points

2021-06-16T09:09:40.213+00:00

By the way, I came across this link and it stated the below:

https://flylib.com/books/en/2.219.1.76/1/

Could you please advise on this?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Setup Microsoft NPS as RADIUS server for multi-forest AD (Two Way Trust Relationships)

4 answers

Your answer