NPS Event 6273 Reason Code 16

We're in the midst of relocating our RADIUS role from a 2003 DC to a 2008 R2 member server.

The following features have been installed and configured:

  • Network Policy Server
  • Routing and Remote Access Services
  • Remote Access Service
  • Routing

All policies have been recreated identically to the previous ones and the server has been registered in AD DS.

When attempting to connect to the RADIUS server I receive the following event:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
 Security ID:   NULL SID
 Account Name:   test
 Account Domain:   DOMAIN
 Fully Qualified Account Name: DOMAIN\test

Client Machine:
 Security ID:   NULL SID
 Account Name:   -
 Fully Qualified Account Name: -
 OS-Version:   -
 Called Station Identifier:  -
 Calling Station Identifier:  -

NAS:
 NAS IPv4 Address:  x.x.x.x
 NAS IPv6 Address:  -
 NAS Identifier:   
 NAS Port-Type:   -
 NAS Port:   1

RADIUS Client:
 Client Friendly Name:  server.fqdn
 Client IP Address:  x.x.x.x

Authentication Details:
 Connection Request Policy Name: Use Windows authentication for all users
 Network Policy Name:  -
 Authentication Provider:  Windows
 Authentication Server:  server.fqdn
 Authentication Type:  PAP
 EAP Type:   -
 Account Session Identifier: -
 Logging Results:  Accounting information was written to the local log file.
 Reason Code:   16
 Reason:    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

All credentials, shared secrets and authentication methods are correct. I have also checked Dial-Up properties in AD DS. Has anyone else experienced this issue?

Regards,

Ryan.

 

April 8th, 2010 12:42am

If we enable "Accept users without validating credentials" in the connection policy this works but does not match the Network Policy.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2010 12:17am

Does anyone know if the authentication methods or the way RADIUS interacts with clients has changed dramatically from 2003 onwards? Is there any further troubleshooting or debugging that I could try to help try and diagnose the issue?

I tried setting up another RADIUS box on 2003 R2 and experienced the exact same issue again.

April 14th, 2010 1:51am

If its any help, we have the exact same problem.  Trying to setup L2TP over IPSec from our Astaro firewall with backend authenication to Windows 2008 R2 radius server.  Did you ever get this resolved?
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2010 2:19pm

I am having the same problem with a Sonicwall firewall and Win2k8 r2 server.  Event ID 6273, Reason code 16.  Any solutions yet?
May 21st, 2010 3:50pm

I am also having the Event ID 6273, Reason Code 16, "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect." 

My configuration: I have a 3rd party VPN server that authenticates to IAS/NPS.  In IAS/NPS, I am using PEAP Authentication and a network policy condition that the "Windows Groups" has to be MY_DOMAIN\VPN_User.  Users that authenticate as MY_DOMAIN\User authenticate just fine.  In IAS (Windows 2003), I have a connection request policy that removes the domain part of the user name by Finding (.*)\\(.*) and Replacing With $2.  (NPS: "Specify a Realm Name": http://technet.microsoft.com/en-us/library/dd197583(WS.10).aspx).  This works fine with Windows 2003 IAS, but gives the above error when configured identically in Windows 2008 NPS, when users log in with NOT_MY_DOMAIN\User when User exists in my domain and is in the VPN_User domain group.  The Windows logs show that in both IAS and NPS the domain is truncated off of the user name.  Windows 2008 NPS seems to not work like Windows 2003 IAS for my situation.

Is your situation similiar, where the domain (Realm) is different from where it is authenticating?  Another thing to point out - I noticed that your User:SecurityID entry isn't DOMAIN\test like I would expect, and your User:FullyQualifiedAccountName status isn't DOMAIN.COM\OU\OU\test (OU being the location in Active Directory where the account is kept).  I don't know why this would be.

Free Windows Admin Tool Kit Click here and download it now
May 25th, 2010 5:17pm

Did anyone find a solution to this problem? I'm experiencing the same behavior on my W2k8 r2 server.
May 31st, 2010 11:22am

Hi Ryan,

Please verify Tools for Troubleshooting NAP, http://technet.microsoft.com/en-us/library/dd348461(WS.10).aspx

The article points out:

Event ID 6273: Network Policy Server denied access to a user.

This event occurs when there is a problem with authentication or authorization and is associated with a reason code. For more information, see NPS Reason Codes (http://go.microsoft.com/fwlink/?LinkId=136640).

Alfredo Arizaleta

Free Windows Admin Tool Kit Click here and download it now
May 31st, 2010 1:24pm

Do you got an security even 4625 with content about "Security ID :NULL SID" before the even 6273 ?

If you got this event. That's possible the SID problem if both NPS and DC server are clone from the same image without change SID.

 

 

 

July 12th, 2010 11:48am

Looking for a solution to the error listed above.  The user name are password are correct.  Not sure what is causing the error?  Details of the error are below:  Event ID 6273

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            S-1-0-0
    Account Name:            domain\user

    Account Domain:            domain
    Fully Qualified Account Name:    domain\user

Client Machine:
    Security ID:            S-1-0-0
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        -
    Calling Station Identifier:        66.112.55.224

NAS:
    NAS IPv4 Address:        10.55.24.2
    NAS IPv6 Address:        -
    NAS Identifier:            -
    NAS Port-Type:            Virtual
    NAS Port:            0

RADIUS Client:
    Client Friendly Name:        Cisco VPN
    Client IP Address:            10.55.24.2

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        domain.domain.local
    Authentication Type:        PAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            16
    Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was inco

Free Windows Admin Tool Kit Click here and download it now
October 13th, 2010 10:59pm

Any movement on this? Is it a bug? I am getting the same exact situation and result. I am using RADIUS Auth from a 2003 IAS server to a 2008 R2 NPS server. Thanks!
December 6th, 2010 3:57am

My issue was resolved.  The router had to be configured to pass MSCHAPv2 (instead of PAP).  After that change (and others on the router) is still didn't work.  The Cisco eng. then copied the 'Share Secret' from the running config and pasted in the RADIUS clients config.  After restarting the services, it worked.  I don't think there is a bug, it's just not as simple as it was in earlier versions of server.
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2010 3:31pm

Hi all

 

i had this exact same problem, I knew i was using the correct password for the Radius client as i took it from an old config, i also know that the policies where the same as IAS as it was imported from a 2003 DC

After reading this post I made a new password on the VPN device and then it suddenly worked

March 25th, 2011 3:21pm

I was having this same issue and it turned out to be a bad radius password on the switch.  Once I consoled in to the switch and re-entered the radius-server info using the correct password, it worked.  I would hazard a guess that you need to re-enter your radius information on the device making the connection.

 

radius-server host IP_ADDRESS auth-port 1645 acct-port 1646 key RADIUS_PASSWORD

 

Hope that helps.  thanks!

Free Windows Admin Tool Kit Click here and download it now
July 18th, 2011 8:08pm

I also wanted to point out the list of Windows Server Migration Guides and Tools that we've published at http://technet.microsoft.com/en-us/library/dd365353(WS.10).aspx.  The list includes support for NPS, RRAS, and many others. Most of the Guides include troubleshooting
July 18th, 2011 9:31pm

Hi,

I am actually doing the same config as the original poster, using PEAP over MSCHAPv2, but the weird thing is: laptops, android phones, windows mobile phones can login but the Nokia Symbian phones can not. Unlilke others we are using CA certificate and not shared secret.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          24.8.2012 10:46:23
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      nps.fqdn
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: fqdn\username
Account Name: username@xxx
Account Domain: xxx
Fully Qualified Account Name: xxx/yyy/zzz/User Name

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: AB-10-CD-E3-1E-3B
Calling Station Identifier: 12-7A-92-B6-11-D2

NAS:
NAS IPv4 Address: 10.0.0.3
NAS IPv6 Address: -
NAS Identifier: CN23F2D212
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1478

RADIUS Client:
Client Friendly Name: MSM720
Client IP Address: 10.0.0.25

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: nps.fqdn
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: 35646133666564302D3030303030373836
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.



  • Edited by Efe Egilmez Friday, August 24, 2012 8:23 AM
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 7:54am

Thank goodness for this thread!  I moved from IAS to NPS and the connection profiles were migrated and NPS has never worked since.  I was able to open the ias.mdb from the old server in Access and looked at the properties for the shared key (which are in plain text..hmm), and re-entered them into my RADIUS Client properties and it started working instantly

So if you know your authentication and encryption values are correct in both the Connection Request Policies and Network Policies, check the RADIUS Client, specifically the shared secret and reset if needed (on both sides).

August 29th, 2012 8:32pm

Hello,

I am getting the same error. But I am trying to set visitor connection.

Basically, NPS with Compliant and Non Compliant is working just fine.

It is the last Network Policy, that I am trying to implement, will switch you to the guest vlan if you do not fulfill with all previous one.

But it is being denied at the Connection Request level.

Any idea how to set visitors, to allow them access to restricted Vlan if they have no authentication at all enabled?

Thank you

Free Windows Admin Tool Kit Click here and download it now
January 4th, 2013 5:31pm

Hi,

I have this same problem with reason code 16 and NULL SID for username in the log, but only when Windows 7 is trying to authenticate over wireless using PEAP authentication.

Windows 8, Windows Phone 8, iOS devices can connect without any problems. So there is some bug with WINDOWS 7 ONLY. It is clean install of Windows 7, so SID is not an issue.

I had the same problem on Lexmar printers before firmware updates.

January 10th, 2013 1:10pm

FWIW I had this problem (with Sonicwall RADIUS authentication -- when moving from Server 2003 IAS to 2008R2 NPS.)

Using NTRadPing, I discovered that ANY lower-case characters in the shared secret caused the authentication to fail on Server 2008R2 NPS, with a username/password credentials error, not a shared secret mismatch. This same configuration works fine with IAS on Server 2003.

Using only upper-case characters and digits in the shared secret fixed this on the testing 2008R2 server. The behavior was explicit and repeatable: ANY lower-case character in the shared secret would fail the RADIUS authentication. Because this was using NTRadPing and not the Sonicwall, I have to presume this is an issue within NPS.

I still had an issue with the Sonicwall going to the live NPS server. Changing the port in the Sonicwall from 1812 to 1645 got authentication to work again, and then it continued to work after putting it back on 1812. I've seen this same behavior occasionally with Server 2003 RADIUS and Sonicwall.

Anyway, some things to try if you've reached the hair-pulling stage.

Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2013 8:22am

Do you got an security even 4625 with content about "Security ID :NULL SID" before the even 6273 ?

If you got this event. That's possible the SID problem if both NPS and DC server are clone from the same image without change SID.

 

 

 

hi Joshua,

I have get the same issue, but the NPS and DC at the same server windows 2008 R2 enterprise. in addition, Installed the OS on VMware virtual machine. Is there any doubt?

April 12th, 2013 2:44am

Did you ever find a resolve for your issue? I am having the same type of issue with some Windows 7 machines, iOS devices connect with no problem. Even strangers is that I have 2 locations which use the same Certificate and Radius server. When someone is at one location they can connect, if they move to the 2nd location it denys connection.

Free Windows Admin Tool Kit Click here and download it now
June 26th, 2013 4:28pm

Has anyone solved the issue?

I have the same problem. iOS devices would connect using username and password while Windows 7 clients don't connect. Haven't tried other OS yet.

I've tried changing shared secret to upper case+numbers only but it didn't work either?

Does anyone have a solution?

July 23rd, 2013 4:08pm

I had the same experience - Windows 8 clients could connect but not Windows 7 clients.

Turned out for in my case that the 'validate server certificate' checkbox is honored by Windows 8 but not necessarily by Windows 7. If the subject name of the certificate that the NPS server is using is blank then Windows 7 will throw these errors while Windows 8 connects happily. The fix was to use the RAS and IAS Server template in Certificate authority per this article.
http://technet.microsoft.com/en-us/library/cc754198.aspx

  • Proposed as answer by _Sparqz Wednesday, April 02, 2014 2:13 AM
Free Windows Admin Tool Kit Click here and download it now
December 13th, 2013 7:42am

I had two NPS servers, the primary one functioned correctly, but if I pointed our network switches at the secondary NPS server attempts to authenticate would fail with "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect." - Event ID: 6273 & Reason Code: 16

The only difference between the two servers that I could find was that the primary had two certificates installed and the secondary only had one.  The difference between the two certificates was that one had an empty subject attribute and the other had the fully qualified domain name of the server.

This guide "Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab" helped : http://www.microsoft.com/en-us/download/details.aspx?id=733

April 2nd, 2014 2:19am

Event ID 6273 code id 16, technet article below, Was this key to resolving your issue?

http://technet.microsoft.com/en-us/library/cc735399(v=ws.10).aspx

Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2014 1:14pm

Joe's solution fixed mine as well, here is another article explaining why your Domain Computer Certificate may me missing the subject name.

http://setspn.blogspot.com/2010/12/error-selecting-certificate-when.html

June 12th, 2014 6:25pm

I had the same experience - Windows 8 clients could connect but not Windows 7 clients.

Turned out for in my case that the 'validate server certificate' checkbox is honored by Windows 8 but not necessarily by Windows 7. If the subject name of the certificate that the NPS server is using is blank then Windows 7 will throw these errors while Windows 8 connects happily. The fix was to use the RAS and IAS Server template in Certificate authority per this article.
http://technet.microsoft.com/en-us/library/cc754198.aspx

This is the solution! Thank you so much!
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2014 5:21pm

ringing a little crazy but it's true. I have the same problem with the macaffee/stonesoft firewall. the change of shared key has helped, but not from lower-case character to upper-case characters, but from upper-case characters to lower-case character. I can hardly believe it
July 10th, 2014 12:49pm

Hi, In the Subject Name's TAB on RAS and IAS Server Certificate template, activate Built from this active directory Information, and the subject format, select DNS name. Bye.
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2015 5:42pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics