Reputation: 65
Which ADuser's record does NPS check to validate an account? Can we change it?
For a school I implemented eduroam two years ago and from time to time we add new students in the AD. Five days ago I added 40 more new students but I changed the CN's (or what in New-ADUser is called "-Name") format:
from "name.surname" to "SURNAME, NAME" (quotes excluded), hence
earlier it was
CN=name.surname, OU=CLASS_A, OU=STUDENTS, DC...
now it is
CN=SURNAME, NAME, OU=CLASS_A, OU=STUDENTS, DC...
an eduroam's username normally is <string with no blanks>@<yourschool>.<tld> so that the RADIUS proxies can route the auth request based on @<yourschool>.<tld> , So I must keep such a format.
Now, the new users cannot be authenticated anymore by NPS.
All the tests I ran back my thesis (i.e. that NPS uses CN to authenticate) but I cannot find any Microsoft document that states that.
- Could anybody share the link to such doc?
- is it a way to change the check from CN (if proved by answer of point 1)) to another user's recor like sAMAccountNAme or UPN?
I'm sure I'm touching something deep in AD but I hope somebody has tripped into this issue and has found a answer.
TIA
P.S. I guess the alternative would be to use FreeRADIUS but I would rather explore the options to still make within NPS/AD
Upvotes: 0
Views: 1450
Answers (1)
Reputation: 5169
• Please check the Windows Server event security log for more details on the issue for NPS authentication because that might shed some more light on the actual issue that you might be facing. Till then, please clear the cache and temporary files from the server and restart the whole infrastructure regarding NPS, i.e., domain controller, NPS Server, Access points and other related devices through which users can login through NPS.
• Once restarted, please try to authenticate any allowed user through NPS once again and check. Also, as you are using NPS as a radius server proxy, please check for the attribute manipulation rules for message forwarding since the CNs are changed in their order/format in your AD. Specifically, regarding the username which is provided by the access client and is included by the NAS in the Radius access-request message. The value of this attribute is a character string that typically contains a realm name and a user account name.
• To correctly replace or convert realm names in the username of a connection request, you must configure attribute manipulation rules for the User-Name attribute on the appropriate connection request policy.
Also, find the below links regarding your query whether which attribute you can use to authenticate in case of NPS. In it, it clearly stated that user principal name should be used as an attribute as a best practice: -
Please check the below documentation link for your condition: -
Upvotes: 0
Related Questions
- ValidateCredentials returns true for unknown user?
- Why does Active Directory validate last password?
- UPN - User Principal Name
- Active Directory PrincipalContext.ValidateCredentials domain disambiguation
- Authenticate AD user with alternate UPN suffix
- What permissions does user need to validate credentials in Active Directory?
- How to determine user DN after authentication against an Active Directory?
- ActiveDirectoryMembershipProvider to validate a user
- Validating a Active Directory User
- Validate against AD using email (not sAMAccountName)