Hi Peeps, Following Octobers Microsoft Updates, we can no longer authenticate against our Radius (Network Policy & Access Services).Unfortunately logging for this is limited, but the IAS logs show:172.16.20.181,julian.stone,10/22/2009,10:14:13,IAS,DCTL04HI,4108,172.16.20.181,4116,311,4128,Julian,4154,Use Windows authentication for all users,4155,1,4129,BLUESQ\julian.stone,4130,BLUESQ\julian.stone,4127,8,25,311 1 ::1 10/22/2009 08:25:49 5,4136,1,4142,0172.16.20.181,julian.stone,10/22/2009,10:14:13,IAS,DCTL04HI,25,311 1 ::1 10/22/2009 08:25:49 5,4127,8,4108,172.16.20.181,4116,311,4128,Julian,4154,Use Windows authentication for all users,4155,1,4129,BLUESQ\julian.stone,4130,BLUESQ\julian.stone,4136,3,4142,21The service is running on one our domain controllers, with no problems, which is an HP DL360 G5 8GB 72GB disks....The one update that appears as though it could cause the problem is:Microsoft Security Advisory: Extended protection for authentication - KB973811 which has very limited documentation !!Has anyone else seen this problem & is the only way to resolve the issue to uninstall the update ??

Hello, Thank you for your post here. From the description, clients can no longer authenticate against the NPS server (reason-code 21) after you install the KB973811. The KB973811 introduce the availability of a new feature, Extended Protection for Authentication, on the Windows platform. It enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA). To enable this feature, I would like to know whether you have modified the registry described in KB 968389. Extended Protection for Authentication http://support.microsoft.com/kb/968389 If the issue persists after you set the above registry values, you may check how RADIUS authentication works to narrow down issue to this security update.

Hi, I'd like to check how things are going. Did you have the chance to try the troubleshooting steps? If you have any other questions, please do not hesitate to let me know. I look forward to your further updates.

Hi Miles, Sorry but I got sidetracked with other issues & I've just come back to the problem.....The article is confusing, as to the exact settings that need to be applied, especially as re-boots are required to enable\disable settings! Anyway playing with the settings resulted in no change, i.e. unable to authenticate using radiusTo try & investigate further, I've built a new forest\domain on a Win 2008 R2 server, but unfortunately straight out of the box, with appropriate NPA services & policies, I'm still unable to connect with the following logged:<Event><Timestamp data_type="4">11/12/2009 13:13:04.880</Timestamp><Computer-Name data_type="1">DCTL01MH</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">RI\julian.stone</User-Name><Client-IP-Address data_type="3">172.16.20.181</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">itboadm02hi</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">RI\julian.stone</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">RI\julian.stone</Fully-Qualifed-User-Name><Class data_type="1">311 1 172.16.21.138 11/12/2009 12:10:50 15</Class><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event><Event><Timestamp data_type="4">11/12/2009 13:13:04.880</Timestamp><Computer-Name data_type="1">DCTL01MH</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 172.16.21.138 11/12/2009 12:10:50 15</Class><Authentication-Type data_type="0">1</Authentication-Type><Client-IP-Address data_type="3">172.16.20.181</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">itboadm02hi</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">RI\julian.stone</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">RI\julian.stone</Fully-Qualifed-User-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">16</Reason-Code></Event>The Security event log states that this is a username\password error, but I can log into the server ok.so back to a downgradeto win 2k8....

download and use the IASParse.exe to intrupret the log.You get a more readable format, and ittranslates some of the codes.NAS-IP-Address : 172.16.20.181User-Name : julian.stoneRecord-Date : 10/22/2009Record-Time : 10:14:13Service-Name : IASComputer-Name : DCTL04HIClass : 311 1 ::1 10/22/2009 08:25:49 5Authentication-Type : ExtensionClient-IP-Address : 172.16.20.181Client-Vendor : MicrosoftClient-Friendly-Name: JulianProxy-Policy-Name : Use Windows authentication for all usersProvider-Type : WindowsSAM-Account-Name : BLUESQ\julian.stoneFully-Qualifed-User-Name: BLUESQ\julian.stonePacket-Type : Access-RejectReason-Code : 21Reason code 21 means that an IAS extension dynamic link library (DLL) that is installed on the NPS or IAS server rejected the connection request. This means that you have an IAS authentication extension DLL installed. You will have to examine documentation for your extension dll to understand why the dll rejected the auth request.

Will IASParse work on windows 2008 R2 ???FYI, I'm now able to validate againstthe newWin 2K8 server I built above, by simply adding registry key "SuppressExtendedProtection" with a value of '0' (LmCompatibiltyLever '3' was already in place).I'm also able to authenticate against another existing 'production'Win 2K8 R2 server with the settings above, but no matter what I attempt, I'm unable to authenticate against a fully patchedWin 2K8 server :( I'm in a lucky position in that I can do a rolling upgrade of each of domain controllers, to bring them up to R2, but I wish I didn't have too....

I would assume IASParse works on Win2008....given i used it do create the results above.