This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hello,
after installing the latest patch tuesday (May 2022) updates and restarting the servers the domain computers (Win 10) are not able to join to company's local network via ethernet or Wifi anymore. Both connection methods are using NPS with EAP and certificate based authentication.
Before installing the updates everything was working fine. This problem appeared right after installing the updates and rebooting the servers. No change in any settings regarding NPS or certificates were made before the problem started.
After installing the updates the NPS log stopped logging new events despite it seemed to be still enabled for both success and failure. I disabled and then re-enabled the logging and now it seems to log properly.
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Now the log event for every computer trying to join the company's local network seem to be this:
Event ID: 6273
Keyword: Audit Failure
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
What could be the causing this problem?
Thank you in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 30%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We got the systems working again without tweaking registry and without uninstalling the patch. We re-enrolled all certs with the new SID attribute and checked that the NPS is offering right certificate from the client side event log. It wasn't doing that originally even though all dialogs showed the right certificate is chosen, but we had to change it to another and back to get it to actually offer the right certificate.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 18%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
I haven't been able to get it to work. I can see the client has the new OID 1.3.6.1.4.1.311.25.2 in the client certificate that is populated with the client computer's SID after I re-enrolled the certificate. Where is the location in the client side event log that I can check whether the correct certificate is being offered?
Hi, it should be in System Event log. Event source Schannel, description says something about expired certificate.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 80%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Thank you for the update in how you resolved the issue. We are still troubleshooting this in our organization and was curious if you happen to have some step-by-step instructions you are able to share or is there a site you followed to resolve?
I read the kb from MS like tens of times and finally understood that the SID extension should be there. So if you have that above mentioned OID 1.3.6.1.4.1.311.25.2 in all the certificates, that part should be okay. If not, re-enroll them from CA management.
After that, verify from client which certificate is offered from NPS (by checking event log, schannel source).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 55.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
For us the workaround was to add reg key here:
HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\
value: CertificateMappingMethods
Data Type: DWORD
Data: 0x1F
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 4%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
hi there,
Did you make this change on the client, NPS server or Domain Controller?
Edit: NPS is running on DC so can't comment this one.
Keep in mind that changing the SChannel registry key value back to the previous default (0x1F) will revert to using weak certificate mapping methods.
We have NPS running on DC, so we did those changes across Domain Controllers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 22%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
We ran into this and have seperate AD/NPS servers. I applied it only to the DCs and it corrected the issue for now until we can investigate the stricter certificate mappings. No reboot of the DCs was required.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 38%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF0%3C/text%3E%3C/svg%3E)
We did the same this morning only on our DC servers. (NPS is on another server)
I confirm no DC reboot was required and it fixes the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 67%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
This can be resolved by making a copy of the domain CA "Computer" cert template with the right options and redeploying it to endpoints.
We also created a new RAS IAS cert with new OID + Mappings for the NPS server.
Subject Name Tab: Subject name format set to Common name, DNS name and SPN boxes are checked.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 81%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Good Morning,
Not to sound daft. However, what were the "right options + mappings"? Is there a whitepaper released from MS?
Respectfully
Subject Name Tab: Subject name format set to Common name, DNS name and SPN boxes are checked.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 88%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
I get these same errors AGAIN for Windows 11 clients (Windows 10 clients that have identical policy applied, connect fine) after December 2022 KB5021249 update on all NPS & DCs - all are Windows Server 2022
The registry entry is already set (since May 22) to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
with CertificateMappingMethods = 0x1F
Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wireless) - SP-WiFi
Network Policy Name: SP-WiFi - VLAN 110 Certificate Based Authentication (Staff)
Authentication Provider: Windows
Authentication Server: SP-V-NPS.domain.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: 37373245413632423138353837323737
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Turned out that needed to get NPS server(s) to do TSL 1.2 as per this:
https://warlord0blog.wordpress.com/2017/02/09/tls-and-nps/
https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af
No idea why default for NPS on Server 2022 is not that already
After NPS server reboot I get Windows 11 clients to connect again as nothing ever happened: Network Policy Server granted access to a user.