MAC Authentication Bypass with NPS Not Working After KB5008102

Ch3ll 1 Reputation point
2021-12-10T17:28:12.607+00:00

Hello. A few weeks ago KB5008102 was applied to domain controllers. From my understanding it requires computer objects created to have a trailing $ at the end of the sAMAccountName. Prior this, I'd add computer objects in the form of a MAC address, for example 111122223333, and they'd authenticate when connected. Now, for new computer objects, I have to add as 111122223333$, but authentication fails at the NPS, and the device is seen as so by the NPS server

Security ID: NULL SID
Account Name: 111122223333
Account Domain: ADU
Fully Qualified Account Name: ADU\111122223333

The reason code is 16, "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account of the password was incorrect.

//BREAK//

For existing computer objects defined prior the KB5008102, they continue to be seen as Security ID: ADU\xxxxxxxxxxxx

A current NPS policy for lets say VLAN 107 matches on condition Authentication Type "PAP" and User Groups "ADU\BLDG23A_VLAN107".
I don't have the necessary permissions to delete the trailing $ from a sAMAccountName. I was wondering, how could I create a new policy that would authenticate these new computer objects who have a trailing $ at the end of the sAMAccountName? Thanks.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,091 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 39,641 Reputation points
    2021-12-17T15:12:30.883+00:00

    Hello @Ch3ll

    Before creating a new policy, check this out first. The reason code is 16 means that either the client computer attempted to use an authentication method that is not enabled on the matching network policy or the client computer attempted to authenticate as Guest, but guest authentication is not enabled.

    MAC address authorization is performed when the user does not type in any user name or password and refuses to use any valid authentication method.

    MAC Address Authorization
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197535(v=ws.10)?redirectedfrom=MSDN

    Hope this resolves your Query!!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Ch3ll 1 Reputation point
    2021-12-17T16:39:43.22+00:00

    LimitlessTechnology-2700
    Thanks for the feedback. I looked at the registry but those don't exist; we're on Windows Server 2016. As that article states, I have been able to create user accounts where the MAC address is the username, but I have to do so in the users OU. Nonetheless, authentication is successful. Prior the KB5008102 we've always worked out of a computer OU, and with a script were able to create it as a "user" account, sAMAccountType 805306368 = ( NORMAL_USER_ACCOUNT ). However, now in this computer OU, objects can only be created as sAMAccountType 805306369 (MACHINE_ACCOUNT) and will have the $ at the end of the sAMAccountName.

    I've tried pattern matching regular expressions in the Calling-Station-Identifier attribute of a policy, but it never matches, not even on the exact MAC address, and I highly suspect its because of the mandatory $ being placed at the end of the sAMAccountName.

    0 comments No comments

  3. Burkhard Landwehr 0 Reputation points
    2023-09-28T08:34:46.65+00:00

    I have the same problem, also copy of an old user don´t work.

    the original
    
    Benutzer:
    	Sicherheits-ID:			***\60d039-647c99
    	Kontoname:			60d039-647c99
    	Kontodomäne:			***
    	Vollqualifizierter Kontoname:	***\60d039-647c99
    
    the copy is seen as:
    
    Benutzer: 	Sicherheits-ID:			NULL SID 	
    Kontoname:			04ed33-283282 	
    Kontodomäne:			*** 	
    Vollqualifizierter Kontoname:	***\04ed33-283282 
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.