Cannot authenticate wireless through group policy.

We currently have a group policy which specifies the Wireless Connection in our building.

This group policy has been working properly but now we have 50 (out of 1100) so far that have "lost the policy".    These clients say "attempting to authenticate" and cannot attach to the wireless network.  After connecting to the LAN and rebooting they are fine again.

Are these clients losing the policy somehow?

Thanks
Tim
desmetjhAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
desmetjhConnect With a Mentor Author Commented:
The problem turned out to be an expired password on the computer account in Active Directory.
0
 
vickzzCommented:
Check the signal strength first and see if they are getting enough signals to get associated with AP.

Second step would be to check whether the Group Policy is being applied or not. To check the same you can use rsop.msc or gpresult/r
0
 
digitapCommented:
When you look in the event log, are there any entries about not being able to contact a domain controller?  What is the OS of these devices?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
desmetjhAuthor Commented:
These are all Windows XP SP3.

The policy was applied correctly at one point as they all connected when they were setup.  (approximately 2 months ago).

They have adequate signal strength.  Once the policy is reapplied (through a LAN connection) they all connect to WLAN fine .
0
 
vickzzCommented:
Any event ids??
0
 
digitapCommented:
You might consider forcing kerberos to connect via TCP.  UDP is default on XP.

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
1.      Start Registry Editor.
2.      Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Note If the Parameters key does not exist, create it now.
3.      On the Edit menu, point to New, and then click DWORD Value.
4.      Type MaxPacketSize, and then press ENTER.
5.      Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6.      Quit Registry Editor.
7.      Restart your computer.

0
 
desmetjhAuthor Commented:
Nothing exceptional.  These clients cannot connect to the domain controller as they are unable to obtain a wireless connection.  The tablets operate strictly wireless on a day to day basis.

What is baffling is why they are suddenly losing the connection.
0
 
digitapCommented:
Otherwise, I can't explain why the group policy isn't being applied or appears to be "lost".  Once it's applied, it should stick.
0
 
desmetjhAuthor Commented:
Digitap:  I agree that the policy should stick.  Is there a timeout if they do not contact the domain controller within a set amount of time?  

This is a high school so there are periods when the clients will be out of the building for up to 2 or 3 months at a time.  However they do not have the ability to easily use the LAN.
0
 
vickzzCommented:
What kind or Authentication you are using for Wireless Clients? PEAP- MS CHAP or EAP-TLS?

Use the following article to use Computer Authentication only and see if it works.
http://support.microsoft.com/kb/929847
0
 
desmetjhAuthor Commented:
We are using PEAP and Computer Authentication to begin with.

WPA2
AES
Microsoft: Protected EAP (PEAP)
Eapol-Start Message: Transmit
Authentication Mode:  Computer Only
Authenticate as computer when computer information is available = this box is checked.
0
 
digitapCommented:
did you try my suggestion?  there's a request for event log information, but i don't see that information yet.
0
 
desmetjhAuthor Commented:
Digitap:  I tried the Parameters registry change but had no success.

I have attached the Application log.  There is an auto enrollment error:  
Event ID 15, Source AutoEnrollment,

 The description for Event ID 15 from source AutoEnrollment cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

local system
0x8007054b
The specified domain either does not exist or could not be contacted.
0
 
digitapCommented:
What's the vendor of the wireless card?  What hardware do you use for the wireless network?
0
 
whiteheadpCommented:
Hi, I am seeing exactly this behaviour, how did you finally resolve it?
0
 
desmetjhAuthor Commented:
The exact solution was to increase the Maximum machine account password age setting.

This is set in our Group Policy under Computr Config > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain Member: max machine account pw age.

The previous setting was 30 days I believe.  It turned out that our clients were not renewing the machine password wirelessly, only when cabled in to the LAN.

Hope that helps.
0
 
whiteheadpCommented:
Hmmm, I wonder how best to resolve this on devices that will always connect wirelessly (never wired). It's almost as if they are getting stuck in a never ending loop of:

- Computer is trying to authenticate to the wireless using computer account, but
- The computer password has expired so it needs changing, but
- Computer is not connected so can't update the computer password

But, the computer shouldn't actually change it's computer password until it successfully connects to a domain controller.

On some investigation it looks like this only happens if the computer logged in and is in standby at the time that the computer password expires.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.