• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1280
  • Last Modified:

New CA & WPA2-EAP Wireless Network Using Network Policy Server (NPS), AD and Group Policies

I decommisioned the old CA server 2008 SP2 Domain Controller. I also removed all instances of it in AD. I setup a new CA Server 2008 R2 Member server.  But I can't get my laptops to authenticate with the new CA Server. It is a member server running Windows 2008 R2 SP1.  I get this error message when the client attempts to authenticate. "The following fatal alert was generated: 20. The internal error state is 960"
and also on the Event Viewer in Security option. It generates this message also...
Your help is greatly appreciated.

Log Name:      Security
 Source:        Microsoft-Windows-Security-Auditing
 Date:          8/23/2012 9:20:57 AM
 Event ID:      6273
 Task Category: Network Policy Server
 Level:         Information
 Keywords:      Audit Failure
 User:          N/A
 Computer:      CERTSERV.domain1.com
 Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
     Security ID:            USER\temp17-L$
     Account Name:            host/temp17-L.domain1.com
     Account Domain:            USER
     Fully Qualified Account Name:    USER\temp17-L$
Client Machine:
     Security ID:            NULL SID
     Account Name:            -
     Fully Qualified Account Name:    -
     OS-Version:            -
     Called Station Identifier:        00-19-77-31-07-51:CORP-WIFI
     Calling Station Identifier:        00-24-D7-EB-AB-EC
     NAS IPv4 Address:
     NAS IPv6 Address:        -
     NAS Identifier:            AP05
     NAS Port-Type:            Wireless - IEEE 802.11
     NAS Port:            0
RADIUS Client:
     Client Friendly Name:        AP05
     Client IP Address:  
Authentication Details:
     Connection Request Policy Name:    Secure Wireless Connections
     Network Policy Name:        Secure Wireless Connections
     Authentication Provider:        Windows
     Authentication Server:        CERTSERV.domain1.com
     Authentication Type:        PEAP
     EAP Type:            -
     Account Session Identifier:        -
     Logging Results:            Accounting information was written to the local log file.
     Reason Code:            23
     Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Event Xml:
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
     <TimeCreated SystemTime="2012-08-23T14:20:57.065095800Z" />
     <Correlation />
     <Execution ProcessID="484" ThreadID="532" />
     <Security />
     <Data Name="SubjectUserSid">S-1-5-21-350318053-1507942464-6498272-9267</Data>
     <Data Name="SubjectUserName">host/temp17-L.domain1.com</Data>
     <Data Name="SubjectDomainName">USER</Data>
     <Data Name="FullyQualifiedSubjectUserName">USER\temp17-L$</Data>
     <Data Name="SubjectMachineSID">S-1-0-0</Data>
     <Data Name="SubjectMachineName">-</Data>
     <Data Name="FullyQualifiedSubjectMachineName">-</Data>
     <Data Name="MachineInventory">-</Data>
     <Data Name="CalledStationID">00-19-77-31-07-51:CORP-WIFI</Data>
     <Data Name="CallingStationID">00-24-D7-EB-AB-EC</Data>
     <Data Name="NASIPv4Address"></Data>
     <Data Name="NASIPv6Address">-</Data>
     <Data Name="NASIdentifier">AP05</Data>
     <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
     <Data Name="NASPort">0</Data>
     <Data Name="ClientName">AP05</Data>
     <Data Name="ClientIPAddress"></Data>
     <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
     <Data Name="NetworkPolicyName">Secure Wireless Connections</Data>
     <Data Name="AuthenticationProvider">Windows</Data>
     <Data Name="AuthenticationServer">CERTSERV.domain1.com</Data>
     <Data Name="AuthenticationType">PEAP</Data>
     <Data Name="EAPType">-</Data>
     <Data Name="AccountSessionIdentifier">-</Data>
     <Data Name="ReasonCode">23</Data>
     <Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data>
     <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
1 Solution
AtibaAuthor Commented:
I was able to figure it out. It was something to do with the computer certificate not installed on the server.  Go to Start Run type mmc and go to File Add or Remove Snap-ins Add Certificates under Available Snap-ins and hit ok and choose Computer account  and hit Next and hit Finish and OK.  Click on teh + sing on Certificates (Local Computer)--> Personal-->Certificates - Right Click and Chooese All Taks and request a new Certificate - click next and Choose Active Directory Enrollment Policy and Click Next - check box Computer and click on the Enrollment button.
A computer Certificate is created. And when the laptops are connected via a LAN connection it then pushes down the certs and thereafter they can begin to authenticate the corporate network.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now