Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

NPS realm stripping does not work when the override policy is enabled in Windows Server 2008 and Windows Server 2008 R2


View products that this article applies to.

Summary

Consider the following scenario:
  • You have a network that has two domains on a server that is running Windows Server 2008 or Windows Server 2008 R2.
  • The two domains do not have a trust relationship.
  • The two domains have identical user and password database lists.
  • All users and computers are members of the first domain.
  • Network Access Protection (NAP) 802.1X is performed in the second domain.
In this scenario, when a computer connects to the network, the authentication switch sends the radius request to the server that is running Network Policy Server (NPS) in the second domain. This server performs realm stripping. When this occurs, the server changes the user name from First_Domain\User_Name to Second_Domain\User_Name and then authenticates the user on the second domain.

However, if the connection request policy in the server that is running NPS has the Override network policy authentication settings option enabled, the user is authenticated on the first domain as First_Domain\User_Name.

↑ Back to the top


More Information

This behavior is by design. Realm stripping is intended to be for routing purposes only and cannot be used to manipulate user and computer authentications. It cannot be used when you use multilayer protocols such as Protected Extensible Authentication Protocol (PEAP). You cannot present one set of credentials (outer ID) and then change those credentials (inner ID).

↑ Back to the top


Keywords: kb, kbinfo, kbserver, kbauthentication, kbexpertiseadvanced, kbsurveynew

↑ Back to the top

Article Info
Article ID : 2721886
Revision : 1
Created on : 1/7/2017
Published on : 6/8/2012
Exists online : False
Views : 292