NPS realm stripping does not work when the override policy is enabled in Windows Server 2008 and Windows Server 2008 R2

Article translations Article translations
Article ID: 2721886 - View products that this article applies to.
Expand all | Collapse all

SUMMARY

Consider the following scenario:
  • You have a network that has two domains on a server that is running Windows Server 2008 or Windows Server 2008 R2.
  • The two domains do not have a trust relationship.
  • The two domains have identical user and password database lists.
  • All users and computers are members of the first domain.
  • Network Access Protection (NAP) 802.1X is performed in the second domain.
In this scenario, when a computer connects to the network, the authentication switch sends the radius request to the server that is running Network Policy Server (NPS) in the second domain. This server performs realm stripping. When this occurs, the server changes the user name from First_Domain\User_Name to Second_Domain\User_Name and then authenticates the user on the second domain.

However, if the connection request policy in the server that is running NPS has the Override network policy authentication settings option enabled, the user is authenticated on the first domain as First_Domain\User_Name.

MORE INFORMATION

This behavior is by design. Realm stripping is intended to be for routing purposes only and cannot be used to manipulate user and computer authentications. It cannot be used when you use multilayer protocols such as Protected Extensible Authentication Protocol (PEAP). You cannot present one set of credentials (outer ID) and then change those credentials (inner ID).

Properties

Article ID: 2721886 - Last Review: June 8, 2012 - Revision: 1.0
APPLIES TO
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Foundation
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Datacenter without Hyper-V
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Enterprise without Hyper-V
  • Windows Server 2008 R2 for Itanium-Based Systems
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Standard without Hyper-V
Keywords: 
kbinfo kbserver kbauthentication kbexpertiseadvanced kbsurveynew KB2721886

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com