Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
User <username> was denied access.
Fully-Qualified-User-Name = <domain>/<OU or container>/<username>
NAS-IP-Address = <ip address>
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <ip address>
Client-Friendly-Name = <IAS Client name>
Client-IP-Address = <ip address>
NAS-Port-Type = Virtual
NAS-Port = 131
Policy-Name = Allow access if dial-in permission is enabled
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = <reason>
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is an authentication protocol?
What is the role of ESENT?
- Reason: "The specified domain does not exist" - See ME946813.
- Reason: "The message received was unexpected or badly formatted" - See ME933430.
- Reason: "The supplied message is incomplete. The signature was not verified" - The issue may occur if IAS is installed on the Windows Server 2003-based computer and the Trusted Root CA certificate is not installed on the client computer. See ME838502 to resolve this problem.
See the links to "Securing Wireless LANs with PEAP and Passwords", "Troubleshooting Windows XP IEEE 802.11 Wireless Access", and "Sophos Support Article ID: 27239" for additional information related to this problem.
- Reason: "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider" - This error may occur when your IAS Server authentication certificate expired, and you renewed it. If you use an authentication method like EAP-TLS, then go into your Access Policy and edit the Profile to configure the policy to use the newly issued certificate. It may happen that the server chooses the wrong certificate for authentication. See also ME824069 for a hotfix that fixes the problem with the IAS server picking the wrong certificate.
My IAS server was giving me this event. Interestingly enough this problem was due to some old certificate Authority left on my AD. The fix was quiet simple, I ran "certutil -dcinfo deleteBad" and it removed the bad certificate.
Reason: "The user attempted to use an unauthorized authentication method." - Verify if the IAS server is authorized to access the Active Directory to verify the "Remote Access" permissions for users. Use the "Action", "Register Server in Active Directory". Once this is enabled, make sure that the specified authentication type is checked in the Remote Access Policies (the name of the policy is listed in the "Policy-Name" section of the event description).
A common occurrence of this event is when IAS is used to authenticate clients for VPN gateways (i.e. Cisco Pix).
- Reason: "LAN Manager authentication is not enabled" - If IAS server is Win2003, by default LAN Manager authentication is disabled. See Understanding IAS: Authentication Methods to enable LAN Manager authentication.
In the line "Policy-Name =" in the error description, the name of the remote access policy that denied access is displayed. Double-click this policy and click edit profile. In the Authentication tab, check and ensure that the correct authentication protocol is selected. In the above event, it is required to enable PAP. As a security measure, do not enable authentication protocols you don't use (but forget the whole thing about security when you use PAP).
|Private comment: Subscribers only. See example of private comment|
|Links: Understanding IAS: Authentication Methods, Securing Wireless LANs with PEAP and Passwords, Troubleshooting Windows XP IEEE 802.11 Wireless Access, Sophos Support Article ID: 27239|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated