NPS stopped working after May 2022 updates

Grt893 21 Reputation points


after installing the latest patch tuesday (May 2022) updates and restarting the servers the domain computers (Win 10) are not able to join to company's local network via ethernet or Wifi anymore. Both connection methods are using NPS with EAP and certificate based authentication.

Before installing the updates everything was working fine. This problem appeared right after installing the updates and rebooting the servers. No change in any settings regarding NPS or certificates were made before the problem started.

After installing the updates the NPS log stopped logging new events despite it seemed to be still enabled for both success and failure. I disabled and then re-enabled the logging and now it seems to log properly.

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Now the log event for every computer trying to join the company's local network seem to be this:

Event ID: 6273

Keyword: Audit Failure

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

What could be the causing this problem?

Thank you in advance!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,093 questions
{count} votes

Accepted answer
  1. Vasyl Klyuyev 81 Reputation points

    For us the workaround was to add reg key here:

    value: CertificateMappingMethods
    Data Type: DWORD
    Data: 0x1F

    according to

15 additional answers

Sort by: Most helpful
  1. Victor Lopes 1 Reputation point

    Thank you so much @Matt Wierzgac , this worked for me. I've spent hours with this problem and in the end it was a certificate mapping issue. I didn't need to uninstall any update though.

    I've set the CertificateMappingMethods key to 1F on my domain controllers and on my NPS server. Authentication on my Wireless network started working again right away (I honestly don't recall if a reboot was necessary or not).
    Check out session "SChannel registry key" on this link kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 as others pointed out.

    If you're using EAP-TLS, I mean, "Microsoft: Smart Card or other certificate" as your only EAP authentication type, then I would focus on the CertificateMappingMethods key.
    These events 4625 and 6273 also seem to occur due to NTLM version mismatch, and there are many forum posts pointing to a NTLMv2 option and a LAN Manager authentication level policy, but if you only use certificates this won't play a role in your environment (at least for me it didn't make any difference). I must point out that in my domain this policy is set to "Send NTLMv2 responses only. Refuse LM & NTLM" (level 5) and the authentication is working (I've tested different levels and it didn't change the behavior).

    I'm using Computer certificates as authentication method and this might have an influence too. I checked my CA, and every newly issued certificates did have the OID, but neither the clients with old or new certificates could authenticate. I notice the documentations about this new certificate mapping strategy focus mainly on user certificates, so I tried authenticating with a user certificate as well (instead of a local machine certificate), but it didn't work at all.

    It's frustrating how someone somewhere decides that "this is not the best practice anymore" and then something on your production environment stops working. But the real bummer is how every NPS issue is disappointingly difficult to identify. But everything is working now. Thanks!

    0 comments No comments

  2. Pirović, Nikša 1 Reputation point

    @Victor Lopes Thanks, can you please post here a screenshot of your reg key exactly? Do you have multiple DC's? HAve you added this to all of them? Did you add it to the NPS and DC just then? No other modifications were done by you?

  3. Marc Plagge 1 Reputation point

    Hi guys,

    we have observed another change of behavior, though we do not now for 100% if this is related to the May Update due to COVID-19 lockdown, time related dependencies are a little messed up.
    We run a RODC in an remote office with NPS installed. For multiple, but not all, clients we had the 6273 Reason 16 Error. More or less by accident we found that affected clients did not had their passwords replicated to the RODC (with NPS). By replicating the password, clients authenticated immediately.

    What we do know for 100%, that worked without the replicated password in march.

    Just wanted to let you know, if someone stills fights this, it might help...


    0 comments No comments

  4. Alex Marsh 1 Reputation point

    So what is the actual secure fix to this? Deployed new certs with the new OID in but no authentication works for machine auth unless the certificatemappingmethods key is set to 1f