Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2 Source: IAS

Source
Level
Description
User <username> was denied access.
Fully-Qualified-User-Name = <domain>/<OU or container>/<username>
NAS-IP-Address = <ip address>
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <ip address>
Client-Friendly-Name = <IAS Client name>
Client-IP-Address = <ip address>
NAS-Port-Type = Virtual
NAS-Port = 131
Policy-Name = Allow access if dial-in permission is enabled
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = <reason>  
Comments
 
- Reason: "The specified domain does not exist" - See ME946813.
- Reason: "The message received was unexpected or badly formatted" - See ME933430.
- Reason: "The supplied message is incomplete. The signature was not verified" - The issue may occur if IAS is installed on the Windows Server 2003-based computer and the Trusted Root CA certificate is not installed on the client computer. See ME838502 to resolve this problem.

See the links to "Securing Wireless LANs with PEAP and Passwords", "Troubleshooting Windows XP IEEE 802.11 Wireless Access", and "Sophos Support Article ID: 27239" for additional information related to this problem.
- Reason: "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider" - This error may occur when your IAS Server authentication certificate expired, and you renewed it. If you use an authentication method like EAP-TLS, then go into your Access Policy and edit the Profile to configure the policy to use the newly issued certificate. It may happen that the server chooses the wrong certificate for authentication. See also ME824069 for a hotfix that fixes the problem with the IAS server picking the wrong certificate.
My IAS server was giving me this event. Interestingly enough this problem was due to some old certificate Authority left on my AD. The fix was quiet simple, I ran "certutil -dcinfo deleteBad" and it removed the bad certificate.
Reason: "The user attempted to use an unauthorized authentication method." - Verify if the IAS server is authorized to access the Active Directory to verify the "Remote Access" permissions for users. Use the "Action", "Register Server in Active Directory". Once this is enabled, make sure that the specified authentication type is checked in the Remote Access Policies (the name of the policy is listed in the "Policy-Name" section of the event description).

A common occurrence of this event is when IAS is used to authenticate clients for VPN gateways (i.e. Cisco Pix).


- Reason: "LAN Manager authentication is not enabled" - If IAS server is Win2003, by default LAN Manager authentication is disabled. See Understanding IAS: Authentication Methods to enable LAN Manager authentication.
In the line "Policy-Name =" in the error description, the name of the remote access policy that denied access is displayed. Double-click this policy and click edit profile. In the Authentication tab, check and ensure that the correct authentication protocol is selected. In the above event, it is required to enable PAP. As a security measure, do not enable authentication protocols you don't use (but forget the whole thing about security when you use PAP).

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...