Solved

Cannot authenticate wireless through group policy.

Posted on 2010-08-20
17
1,203 Views
Last Modified: 2013-11-12
We currently have a group policy which specifies the Wireless Connection in our building.

This group policy has been working properly but now we have 50 (out of 1100) so far that have "lost the policy".    These clients say "attempting to authenticate" and cannot attach to the wireless network.  After connecting to the LAN and rebooting they are fine again.

Are these clients losing the policy somehow?

Thanks
Tim
0
Comment
Question by:desmetjh
  • 7
  • 5
  • 3
  • +1
17 Comments
 
LVL 4

Expert Comment

by:vickzz
ID: 33485189
Check the signal strength first and see if they are getting enough signals to get associated with AP.

Second step would be to check whether the Group Policy is being applied or not. To check the same you can use rsop.msc or gpresult/r
0
 
LVL 33

Expert Comment

by:digitap
ID: 33485194
When you look in the event log, are there any entries about not being able to contact a domain controller?  What is the OS of these devices?
0
 

Author Comment

by:desmetjh
ID: 33485257
These are all Windows XP SP3.

The policy was applied correctly at one point as they all connected when they were setup.  (approximately 2 months ago).

They have adequate signal strength.  Once the policy is reapplied (through a LAN connection) they all connect to WLAN fine .
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33485320
Any event ids??
0
 
LVL 33

Expert Comment

by:digitap
ID: 33485333
You might consider forcing kerberos to connect via TCP.  UDP is default on XP.

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
1.      Start Registry Editor.
2.      Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Note If the Parameters key does not exist, create it now.
3.      On the Edit menu, point to New, and then click DWORD Value.
4.      Type MaxPacketSize, and then press ENTER.
5.      Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6.      Quit Registry Editor.
7.      Restart your computer.

0
 

Author Comment

by:desmetjh
ID: 33485341
Nothing exceptional.  These clients cannot connect to the domain controller as they are unable to obtain a wireless connection.  The tablets operate strictly wireless on a day to day basis.

What is baffling is why they are suddenly losing the connection.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33485342
Otherwise, I can't explain why the group policy isn't being applied or appears to be "lost".  Once it's applied, it should stick.
0
 

Author Comment

by:desmetjh
ID: 33485361
Digitap:  I agree that the policy should stick.  Is there a timeout if they do not contact the domain controller within a set amount of time?  

This is a high school so there are periods when the clients will be out of the building for up to 2 or 3 months at a time.  However they do not have the ability to easily use the LAN.
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33485367
What kind or Authentication you are using for Wireless Clients? PEAP- MS CHAP or EAP-TLS?

Use the following article to use Computer Authentication only and see if it works.
http://support.microsoft.com/kb/929847
0
 

Author Comment

by:desmetjh
ID: 33485464
We are using PEAP and Computer Authentication to begin with.

WPA2
AES
Microsoft: Protected EAP (PEAP)
Eapol-Start Message: Transmit
Authentication Mode:  Computer Only
Authenticate as computer when computer information is available = this box is checked.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33485851
did you try my suggestion?  there's a request for event log information, but i don't see that information yet.
0
 

Author Comment

by:desmetjh
ID: 33486133
Digitap:  I tried the Parameters registry change but had no success.

I have attached the Application log.  There is an auto enrollment error:  
Event ID 15, Source AutoEnrollment,

 The description for Event ID 15 from source AutoEnrollment cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

local system
0x8007054b
The specified domain either does not exist or could not be contacted.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33488267
What's the vendor of the wireless card?  What hardware do you use for the wireless network?
0
 

Accepted Solution

by:
desmetjh earned 0 total points
ID: 33513439
The problem turned out to be an expired password on the computer account in Active Directory.
0
 

Expert Comment

by:whiteheadp
ID: 36708572
Hi, I am seeing exactly this behaviour, how did you finally resolve it?
0
 

Author Comment

by:desmetjh
ID: 36709440
The exact solution was to increase the Maximum machine account password age setting.

This is set in our Group Policy under Computr Config > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain Member: max machine account pw age.

The previous setting was 30 days I believe.  It turned out that our clients were not renewing the machine password wirelessly, only when cabled in to the LAN.

Hope that helps.
0
 

Expert Comment

by:whiteheadp
ID: 36709639
Hmmm, I wonder how best to resolve this on devices that will always connect wirelessly (never wired). It's almost as if they are getting stuck in a never ending loop of:

- Computer is trying to authenticate to the wireless using computer account, but
- The computer password has expired so it needs changing, but
- Computer is not connected so can't update the computer password

But, the computer shouldn't actually change it's computer password until it successfully connects to a domain controller.

On some investigation it looks like this only happens if the computer logged in and is in standby at the time that the computer password expires.
0

Join & Write a Comment

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now