This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hello,
after installing the latest patch tuesday (May 2022) updates and restarting the servers the domain computers (Win 10) are not able to join to company's local network via ethernet or Wifi anymore. Both connection methods are using NPS with EAP and certificate based authentication.
Before installing the updates everything was working fine. This problem appeared right after installing the updates and rebooting the servers. No change in any settings regarding NPS or certificates were made before the problem started.
After installing the updates the NPS log stopped logging new events despite it seemed to be still enabled for both success and failure. I disabled and then re-enabled the logging and now it seems to log properly.
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Now the log event for every computer trying to join the company's local network seem to be this:
Event ID: 6273
Keyword: Audit Failure
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
What could be the causing this problem?
Thank you in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 30%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We got the systems working again without tweaking registry and without uninstalling the patch. We re-enrolled all certs with the new SID attribute and checked that the NPS is offering right certificate from the client side event log. It wasn't doing that originally even though all dialogs showed the right certificate is chosen, but we had to change it to another and back to get it to actually offer the right certificate.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 18%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
I haven't been able to get it to work. I can see the client has the new OID 1.3.6.1.4.1.311.25.2 in the client certificate that is populated with the client computer's SID after I re-enrolled the certificate. Where is the location in the client side event log that I can check whether the correct certificate is being offered?
Hi, it should be in System Event log. Event source Schannel, description says something about expired certificate.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 80%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Thank you for the update in how you resolved the issue. We are still troubleshooting this in our organization and was curious if you happen to have some step-by-step instructions you are able to share or is there a site you followed to resolve?
I read the kb from MS like tens of times and finally understood that the SID extension should be there. So if you have that above mentioned OID 1.3.6.1.4.1.311.25.2 in all the certificates, that part should be okay. If not, re-enroll them from CA management.
After that, verify from client which certificate is offered from NPS (by checking event log, schannel source).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 55.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
For us the workaround was to add reg key here:
HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\
value: CertificateMappingMethods
Data Type: DWORD
Data: 0x1F
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 4%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
hi there,
Did you make this change on the client, NPS server or Domain Controller?
Edit: NPS is running on DC so can't comment this one.
Keep in mind that changing the SChannel registry key value back to the previous default (0x1F) will revert to using weak certificate mapping methods.
We have NPS running on DC, so we did those changes across Domain Controllers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 22%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
We ran into this and have seperate AD/NPS servers. I applied it only to the DCs and it corrected the issue for now until we can investigate the stricter certificate mappings. No reboot of the DCs was required.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 38%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF0%3C/text%3E%3C/svg%3E)
We did the same this morning only on our DC servers. (NPS is on another server)
I confirm no DC reboot was required and it fixes the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 70%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
Thank you so much @Matt Wierzgac , this worked for me. I've spent hours with this problem and in the end it was a certificate mapping issue. I didn't need to uninstall any update though.
I've set the CertificateMappingMethods key to 1F on my domain controllers and on my NPS server. Authentication on my Wireless network started working again right away (I honestly don't recall if a reboot was necessary or not).
Check out session "SChannel registry key" on this link kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 as others pointed out.
If you're using EAP-TLS, I mean, "Microsoft: Smart Card or other certificate" as your only EAP authentication type, then I would focus on the CertificateMappingMethods key.
These events 4625 and 6273 also seem to occur due to NTLM version mismatch, and there are many forum posts pointing to a NTLMv2 option and a LAN Manager authentication level policy, but if you only use certificates this won't play a role in your environment (at least for me it didn't make any difference). I must point out that in my domain this policy is set to "Send NTLMv2 responses only. Refuse LM & NTLM" (level 5) and the authentication is working (I've tested different levels and it didn't change the behavior).
I'm using Computer certificates as authentication method and this might have an influence too. I checked my CA, and every newly issued certificates did have the OID 1.3.6.1.4.1.311.25.2, but neither the clients with old or new certificates could authenticate. I notice the documentations about this new certificate mapping strategy focus mainly on user certificates, so I tried authenticating with a user certificate as well (instead of a local machine certificate), but it didn't work at all.
It's frustrating how someone somewhere decides that "this is not the best practice anymore" and then something on your production environment stops working. But the real bummer is how every NPS issue is disappointingly difficult to identify. But everything is working now. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 76%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPN%3C/text%3E%3C/svg%3E)
@Victor Lopes Thanks, can you please post here a screenshot of your reg key exactly? Do you have multiple DC's? HAve you added this to all of them? Did you add it to the NPS and DC just then? No other modifications were done by you?
Thanks
Hi there, sure. Yes, this domain has two DCs: a Windows Server 2012 R2 (which is also the CA) and a Windows Server 2019 (newly added). The NPS is a 2012 R2. Both the DCs and the NPS have this key value defined as 1F. I must state again that I didn't uninstall any updates.
While troubleshooting this I also made the following changes to the NPS server, which didn't make any difference at the time and I don't think it plays a role in this issue specifically:
CertificateMappingMethods key value:
Authentication policy:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 41%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hi guys,
we have observed another change of behavior, though we do not now for 100% if this is related to the May Update due to COVID-19 lockdown, time related dependencies are a little messed up.
Anyway...
We run a RODC in an remote office with NPS installed. For multiple, but not all, clients we had the 6273 Reason 16 Error. More or less by accident we found that affected clients did not had their passwords replicated to the RODC (with NPS). By replicating the password, clients authenticated immediately.
What we do know for 100%, that worked without the replicated password in march.
Just wanted to let you know, if someone stills fights this, it might help...
Greetings
Marc
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 3%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
So what is the actual secure fix to this? Deployed new certs with the new OID in but no authentication works for machine auth unless the certificatemappingmethods key is set to 1f
My understanding was this was always supposed to be a soft-error, filling up the event log with warnings that your certificate binding was not strong, until 1 year after the patch release (registry overrides no longer work). The idea being that you've patched your CA and now all the new certs will be issued with the new OID (kinda presumes you haven't messed with the default certificiate expiration though). It just blew up for machine auth. It has to be a bug but I haven't seen any official acknowledgement from Microsoft.