NPS/RADIUS authentication across one-way trust

npsradiuswindows-server-2012-r2

I'm trying to set up Windows Network Policy Server to allow RADIUS authentication in a multiple forest scenario with one-way trusts. We have several domains (each in a single domain-forest) containing user accounts, and one domain "OPS" with servers and services. OPS trusts the other domains, but they do not trust OPS.

I have configured NPS with a policy which grants access when the users is in a specific group in the OPS domain. This works fine for domain local users, such as OPS\carlpett, but when I try to use an account from another domain such as EXTAD\john.doe, I get an error logged with event id 4402 and description

There is no domain controller available for domain EXTAD.

An info event 6274 is also logged with details of the rejected request, where the reason is set to

The NPS server is unavailable because of low hardware resources or because it failed to receive the name of a domain controller, which can be due to a security accounts manager (SAM) database failure on the local computer or an NT directory service (NTDS) failure.

However, I can contact several domain controllers from EXTAD. I've tried both Test-NetConnection -Port 389 dc01.extad.domain.com and Microsofts PortQry tool which does a lot of connection tests.

When using a domain local account, this is logged:

A LDAP connection with domain controller ad01.ops.domain.net for domain OPS is established.

This seems to indicate that only LDAP is needed? Checking open TCP connections while attempting to use an external account, I can see an established connection on port 389 to a domain controller in their domain.

Any ideas what to try? I've seen some recommendations to add the NPS server to the "RAS and IAS Servers" group, but that would seem to require a two-way trust.

Best Answer

Yes, from Technet:

NPS supports authentication across forests without a RADIUS proxy when the two forests contain only domains that consist of domain controllers running Windows Server 2008, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. The forest functional level must be Windows Server 2008 or Windows Server 2003, and there must be a two-way trust relationship between forests. If you use EAP-TLS or PEAP-TLS with certificates as your authentication method, you must use a RADIUS proxy for authentication across forests that consist of Windows Server 2008 and Windows Server 2003 domains.

I got the above to work with a Selective Authentication trust. Create a global group that will hold your NPS servers, and make sure that group has the "Allowed to authenticate" right set on the computer accounts on the domain controllers in the user domain(s).

This is the most-restrictive setting required for NPS to authenticate users in a trusted forest, otherwise you will need a RADIUS Proxy and NPS servers set up in the user domain(s).

Best Answer

Related Solutions

Why would NPS suddenly stop authenticating users

Authentication via RADIUS : MSCHAPv2 Error 691

Related Topic