Hi there,I currently have2 domains(domain1 and domain2) which have a full 2-way trust between them. I have 1 group policy on each domain to configure the wireless settings for clientson their domains.I have 2 essids(WLAN1 and WLAN2) which these wireless clients connect to depending on how group policy has configured the client settings(Domain1 group policy configures clients settings on Domain1 to connect to WLAN1 and vice versa). On each domain i have a Radius server(Radius1 and Radius2 running Windows 2003 Server with IAS) with 3rd party WLAN Server certificates installed on each one for PEAP wireless authentication. (Domain1 clients look to Radius1 on Domain1 and Domain2 clients look to Radius2 on Domain2)In IAS the remote access policy is set so that users can authenticate with either their 'Domain1\Domain Computer' account OR 'Domain1\Wireless User' group in AD(Group Policy configures authentication mode as 'computer only' but for other wireless devices not in AD the users domainuser account is added to a 'Wireless User' groupeg. PDAs, iPhones)This works fine.My problem is that as a failover for wireless authentication, I test using the Radius server in the other domain(Radius2 in Domain2)to authenticate the 'Domain1\Domain Computer' account OR 'Domain1\Wireless User' group and thisONLY works for the 'Domain1/Wireless User' group.Why is it that i can successfully authenticate a user account from Domain1 through a Radius Server on Domain2 but not the computer account from Domain1?I've enabled tracing on the Radius2 server and found this in the IASSAM.log:This is a successful entry for a computer account on Domain2 trying to authenticate through the Radius2 server:[5864] 06-15 16:55:35:402: Creating EAP session[5864] 06-15 16:55:35:402: NT-SAM Names handler received request with user identity host/ID9427.Domain2.[5864] 06-15 16:55:35:402: Successfully cracked username.[5864] 06-15 16:55:35:402: SAM-Account-Name is "Domain2\ID9427$".[5864] 06-15 16:55:35:402: NT-SAM Authentication handler received request for Domain2\ID9427$.[5864] 06-15 16:55:35:402: Validating Windows account Domain2\ID9427$.[5864] 06-15 16:55:35:402: Sending LDAP search to Domain2DC[5864] 06-15 16:55:35:402: Successfully validated windows account.[5864] 06-15 16:55:35:402: NT-SAM User Authorization handler received request for Domain2\ID9427$.[5864] 06-15 16:55:35:402: Using native-mode dial-in parameters.[5864] 06-15 16:55:35:402: Sending LDAP search to Domain2DC.[5864] 06-15 16:55:35:402: Successfully retrieved per-user attributes.[5864] 06-15 16:55:35:402: Saving the responseThis is a failedentry for a computer account on Domain1 trying to authenticate through the Radius2 server:[1032] 06-15 17:32:02:714: Creating EAP session[1032] 06-15 17:32:02:714: NT-SAM Names handler received request with user identity host/ID8628.Domain1.[1032] 06-15 17:32:02:714: Global Catalog could not crack username; prepending default domain.[1032] 06-15 17:32:02:714: NameMapper::prependDefaultDomain[1032] 06-15 17:32:02:714: SAM-Account-Name is "Domain2\host/ID8628.Domain1".[1032] 06-15 17:32:02:714: NT-SAM Authentication handler received request for Domain2\host/ID8628.Domain1.[1032] 06-15 17:32:02:714: Validating Windows account Domain2\host/ID8628.Domain1.[1032] 06-15 17:32:02:714: Sending LDAP search to Domain2DC.[1032] 06-15 17:32:02:714: Saving the response

Is it only possible to authenticate user accounts between domains and not computer accounts?

Hi Andrew, I know it may be too late but I'd like to propose you a walk around solution to your problem. We had the same problem with authenticating a computer by its Active Directory account in a domain using NPS server. 802.1x authentication failed with a message 'Global Catalog could not crack username; prepending default domain' in the IASSAM.log. In our environment we have a single domain. Most of the computers are authenticated successfully. However some of them failed to authenticate. If 802.1x (PEAP) authentication is disabled ‘bad’ computers can successfully communicate with a domain controller. After comparing computer accounts in the Active Directory for a 'healthy' and for a 'bad' computers we found some differences in the servicePrincipalName attribute. A bad one has only one entry for a plain computer name in that attribute. So NPS server couldn't find it with a fully qualified domain name value returned by a nap client. Here is what we have done. 1. Copy the client FQDN of the 'bad' computer from IASSAM.log, for example HOST/user-pc.local.com. 2. Using adsiedit.msc open properties of the 'bad' computer. 3. Add the FQDN name copied in step 1 to the 'servicePrincipalName' attribute. In our case that value equaled 'HOST/user-pc'. After modification it should be like 'HOST/user-pc.local.com; HOST/user-pc'. 4. Apply the modification. Off cause this is only a proposal to a walk around unless it is approved by Microsoft. And you should perform any changes only at your own risk. Kind regards, Dmitry.

It is recommended to add SPN by setspn utility. The syntax is "setspn -A HOST/user-pc.local.com user-pc".