How to authenticate computer before user log on, NPS Server Windows XP (SP3) Windows 7

Posted on 2011-05-11
Last Modified: 2013-12-04
i have to set up 802.1x in my company, we are running with Windows Server 2008 R2.
All the machines will use wired connection to communicate with NPS Server.

In my company we have many requirements regarding networking rules.

1) We must have a local (non-domain) adminisrator account to manage any computer
2) We remotely take control of clients for maintenance purposes
3) We load scripts immediately after user login so as to mount personal network storage
4) The vlan must be dynamically assigned according to the user account

I succeded in setting up the authentication through a domain user account, the problem is that the machine machine is placed on the network only a few minutes after the openning of the account, time during which the script is launched without having the network. So when the computer gets the network we can't see the attached network storages.

An other problem is when users who never openned a session can't open a session because the machine is not on the network and is not able to contact domain controller.

To fix all those problems i am thing about authenticating the machine before user log on, but i don't find any clear guide on the net that could help me to solve the problem, do i need to user certificate, if so how to deploy it. I try to deploy some computer certificate, but after creating template i  can't see them when i want to issue them in "certificates templates"

Also my Certification Authority and Domain controller are on the same machine.

Thanks for helping me.
Question by:Tony_David
    LVL 18

    Assisted Solution

    - Add the AD computer accounts to a group.
    - Configure NPS Policy to allow network acces to the AD Group containing the machines
    LVL 18

    Expert Comment

    ...keep in mind the order of the configured policies.

    Author Comment

    Well, i'am gonna work this way, thx

    Author Comment

    Hello x-men your solution works fine with Windows 7, but i'm still not able to authenticate Windows XP SP3 Client.
    Previously on XP versions before SP3, it was possible to force computer-only authentication with this registry key :


    But this is no longer the case with SP3, Microsoft suggest to try this way :

    I try to find the said "xml" file but i don't where it is located on the system.

    Does anyone knows the place to find that "xml" file ?

    Thanks for help.
    LVL 18

    Assisted Solution

    the xml is the profile you exported from the windows 7 machine.
    afterr you modify it , you import it on the xp SP through "netsh lan add profile filename=PathofXMLFile"

    Accepted Solution

    I finnaly found the solution :

    Before all, be sure that  "Wired AutoConfig service" is launched"  follow as this :

    Start the service in the Services console. Click Start, right-click Computer, click Manage, and click Services and Applications. In the details pane, double-click Services, and then do one of the following:

    To configure the startup type, right-click Wired AutoConfig, and then click Properties.
    In Startup type, select Automatic, the recommended setting, and then click Start.
    To start the service for the current session only, right-click Wired AutoConfig, and then click Start.

    To Authenticate only Computer account :

    1. Open Command Prompt

    2. Type: netsh lan export profile folder=C:\   //This should export the XML for your LAN setup

    3. Open C:\Local Area Connection.xml in Notepad  //We need to add the line <authMode>machine</authMode>    //The xml filename could change according to XP language version. Be sure to open the correct generated file.

    You don't need to add or modify any other lines than the needed one.

    4. Save the XML file and close notepad

    5. At the command prompt type: netsh lan add profile filename="C:\Local Area Connection.xml" //The xml filename could change according to XP language version. Be sure to type the correct generated filename.

    6. The profile should be added without any errors.  
    7. Reboot the machine and you should authenticate based on the machine name.

    PS: The machine should be part of the domain.

    Sources :

    LVL 18

    Expert Comment


    Author Comment

    x-men, So you mean that i can use the same xml file for all machine ?
    LVL 18

    Expert Comment

    that's my interpretation of the article

    Expert Comment

    Following an 'Objection' by x-men (at to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
    At this point I am going to re-start the auto-close procedure.
    Thank you,
    Community Support Moderator

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now