I've noticed a difference on the authentication behavior of Active Directory where the Core version failed to authenticate properly when using CHAP from the NPS server.
I have reproduct the problem on a dedicated network as following:
- 1 domain controller (ad+dns) on windows server 2016 core
- 1 domain controller (ad+dns) on windows server 2016 gui (same domain)
- 1 nps server on windows server 2016 acting as a radius server (member of the domain)
- 1 workstation to simulate a RADIUS auth (with radlogin)
I use CHAP on my network to do 802.11x MAB (Mac Address Bypass). This is used to authenticate some devices that cannot support a better auth protocol like EAP-TLS.
For CHAP to work properly, the password MUST be known by Active Directory. The user accounts matching those devices have the flag to store the password using a reversible encryption.
The NPS has a very basic configuration:
- a radius client with a shared secret, to receive requests from my switch (here radlogin)
- a network policy to check against a user-group, auth in CHAP
I have enabled the audit for NPS login. You can find the settings on the local group policy: Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Poolicy Configuration > System Audit Policies – Local > Logon/Logoff > Audit Network Policy Server.
When the NPS authenticates the user against the core domain controller, I get on the eventid 6273 on the Security log (on the event viewer):
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: 77b6e93eb3f0
Account Domain: LAB-RADIUS
Fully Qualified Account Name: LAB-RADIUS\77b6e93eb3f0
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 00-0c-29-f4-f2-62
Calling Station Identifier: 77-b6-e9-3e-b3-f0
NAS:
NAS IPv4 Address: 192.168.12.25
NAS IPv6 Address: -
NAS Identifier: RADIUS_TEST_CLIENT
NAS Port-Type: Ethernet
NAS Port: 10
RADIUS Client:
Client Friendly Name: radius-client
Client IP Address: 192.168.12.25
Authentication Details:
Connection Request Policy Name: wired
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: radius.lab-radius.lab
Authentication Type: MD5-CHAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
When I do the same against the GUI domain controller, I got a success (evenid 6772). I momentarily cut the communication between the RADIUS server and a DC to force the RADIUS to use the other DC to authenticate.
The two domain controllers have been deployed exactly the same, are on the same OU and have the same GPOs applied.
Wireshark revealed me the authentication between the NPS and the Domain controller is done through DCERPC with the NetrLogonSamlogonEx remote call. When it failed, I've got a STATUS_PROCEDURE_NOT_FOUND (0xc000007a). When it success, I've got a VALIDATION_SAM_INFO2 result.
What's missing on Active Directory when installed on a Windows Server Core that is present when using the graphical Windows variant?
Note: I KNOW very well CHAP is terrible. The question is why this problem and how to fix it on the core domain controller, not what would be better. CHAP is the only protocol supported by my NAS (not even PAP)
Best Answer
A Microsoft representative give me their answer.
Doing CHAP authentication with NPS and Core DC is not supported by Microsoft. This is by design, even though it's not indicated anywhere on their documentation.