NPS realm stripping does not work when the override policy is enabled in Windows Server 2008 and Windows Server 2008 R2

Applies to: Windows Server 2008 DatacenterWindows Server 2008 Datacenter without Hyper-VWindows Server 2008 Enterprise


Consider the following scenario:
  • You have a network that has two domains on a server that is running Windows Server 2008 or Windows Server 2008 R2.
  • The two domains do not have a trust relationship.
  • The two domains have identical user and password database lists.
  • All users and computers are members of the first domain.
  • Network Access Protection (NAP) 802.1X is performed in the second domain.
In this scenario, when a computer connects to the network, the authentication switch sends the radius request to the server that is running Network Policy Server (NPS) in the second domain. This server performs realm stripping. When this occurs, the server changes the user name from First_Domain\User_Name to Second_Domain\User_Name and then authenticates the user on the second domain.

However, if the connection request policy in the server that is running NPS has the Override network policy authentication settings option enabled, the user is authenticated on the first domain as First_Domain\User_Name.

More Information

This behavior is by design. Realm stripping is intended to be for routing purposes only and cannot be used to manipulate user and computer authentications. It cannot be used when you use multilayer protocols such as Protected Extensible Authentication Protocol (PEAP). You cannot present one set of credentials (outer ID) and then change those credentials (inner ID).