Using Network Policy Server Polices in conjunction with RRAS on Server 2012 R2

Similar Messages

• Network Policy Server in conjunction with RRAS on Server 2012 R2

  Within the RRAS MMC console there is an option called Remote Access Logging & Polices.
  If I right mouse click and can get to the NPS and tried to configure a couple of basic settings (e.g. group membership of Domain Admins required) for granting access.
  However when testing this, the policy did not seem to apply (aka the user got on even though group membership was not correct).
  I have made sure that the dial-in properties for the user was set to Control access through NPS Network Policy.
  Q/ For the above to work, do I actually need to install the NPS role itself or can it work independently?
  <input id="a853852f-d77c-4a72-b8a6-08f9ac4acbcd_attachments" type="hidden" value="" />                

  Hi,
  Did the NPS worked properly befoer your configure this options, if you are trying to deploy NPS, please refer the following realted KB first.
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://msdn.microsoft.com/en-us/library/cc754114.aspx
  Configure 802.1X Wireless Access Clients by using Group Policy Management
  http://msdn.microsoft.com/en-us/library/dd759173.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Can I use boot camp or other virtualization software with Snow Leopard Server?

  Can I use boot camp or other virtualization software with Snow Leopard Server?

  Boot Camp is not virtualization; it boots Windows natively on the Mac hardware. So Boot Camp would be irrelevant to running Snow Leopard Server. Parallels and VMWare Fusion both have at least "experimental" support for running Snow Leopard Server in a virtual machine on Mac OS X, though I don't know how robust it is as of this time. You might ask for opinions on the Parallels or VMWare forums.
  Regards.

• Server returned code (500) with message Internal Server Error and content

  Hi cracks,
  I am trying to run the web service
  InternalRequestSRMUpdateRequestConfirmation_In
  an get following error :
  Server returned code (500) with message <Internal Server Error> and content type <text/html; charset=utf-8>.
  any idea?
  rgds
  Vincent

  yes,
  you got crash aka shortdump in your system.
  - webserver: didn't crash, because it issued an error 500, so it works
  - remains either the soap runtime, which usually doesn't dump but throw errors and the application itself.
  I'd look into the tracefiles (ST11) or tie the debugger to the service in question (SICF) and try to find out hat happens/d.
  anton

• Wireless Network Policy Single Sign On Issue with Windows 8.1 only

  I'll try to set this up as best I can. I have a laptop with a fresh Windows 8.1 install on it. It is on my domain, and I have a single GPO applied to it. In the GPO under Computer Configuration -> Windows Settings -> Security Settings ->
  Wireless Network Policies I have created a Windows Vista or later policy. In the policy I have configured single sign on.  I log into a local account on the laptop and plug it into a wired connection. I then run gpupdate on it. At that point I unplug
  the network cable, and log off. Now, from the login screen I click Other user, and it looks like the screenshot below.
  Notice that "Windows will try to connect to" is present. I can login using domain credentials, and single sign on works perfectly. Now if I reboot the machine, the "Windows will try to connect to" is gone and single sign
  on does not work. If I log in with a local account and log out. The "Windows will try to connect to" is present again. I can login normally using domain credentials, and single sign on works perfectly again.
  One other note: I installed a fresh copy of Windows 7 on the same model laptop, and put it in the same OU with that single GPO. Single sign on works perfectly with the Windows 7 machine every time. Including after reboots. Thank you, in advance,
  for any advice or comments. I will be happy to provide additional information if it is needed.

  I managed to get this to work properly in my environment. I realized that I needed to export the wireless profile from the Group Policy editor and import it on the client (by using Group Policy). I realized this while reading through this article:
  https://technet.microsoft.com/en-gb/magazine/2007.11.cableguy.aspx
  You can see the "Export..." button in the screenshot posted by keyserag above. Select the profile name, in the Group Policy editor Properties dialog, i.e. the item that keyserag has blurred in his screenshot, then click the "Export..."
  button. You will be prompted to save the XML file. 
  I use Computer Configuration > Preferences > Windows Settings > Files to copy the XML file to the clients:
  Destination: %WindowsDir%\WirelessProfileExportFileName.XML
  I then use Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks to run netsh and import the profile:
  Action: netsh wlan add profile filename="%WindowsDir%\WirelessProfileExportFileName.XML"
  The PCs using my policies are now ready to logon without any need for additional manual actions.
  I've left out some detail here, I assume everyone will do something a little different anyway. Let me know if you need more help with this.

• Phonefactor with RRAS(Windows Server 2003) - VPN client timeout after 20 seconds -- too fast!

  [Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
  We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
  just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
  So... now we are trying Phonefactor.
  Our VPN setup is RRAS on a Windows Server 2003 domain controller.
  We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
  call.
  It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
  nimble, that is frequently not enough time!
  When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
  How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
  Things we have tried:
  1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
  2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
  3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
  4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
  5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
  6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
  7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
  8) Try this registry hack:
  http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
  Any ideas?
  thanks!

  Hi fdc2005,
  Thanks for the post.
  However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
  Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
  Regarding error 718, please check if the following could help:
  If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
  Steps to follow for resolution:
  (1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
  (2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
  Quote from:
  Troubleshooting Vista VPN problems.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Integrating Exchange Server in the cloud with Project / Sharepoint Server internal

  Hi,
  I wonder how do I integrate service Exchange Server with Project Server 2010.
  I have a Project Server 2010 you need to send emails with project updates and other integrations with Outlook.O standard procedure is to perform procedures (run commands in Exchange Server Shell) and create users in Project Server.
  But I have a situation where my client uses a service exchange in the cloud and not a server for internal mail.
  How do I integrate Project Server with Exchange this scenario where the mail server is an external service (cloud)?
  I made the settings as the procedure () but got no success, no mail was received to be alert or reminder:
  Below are the screens with the settings that were made.
  Crawl Resource Configuration (http://technet.microsoft.com/pt-br/library/ee806927(v=office.14).aspx)
  1) I Installed SMTP service on my server.
  2) I made the configuations above
  3) I configured the outgoing/Ingoing Setting in Sharepoint Central Administration

  Hi Marcelo,
  Without providing the extended rights to project user, I dont think you will be able to successfully integrate project server with exchange cloud. Here is the technet article about how to integrate it with extended rights which needs running commands running
  on exchange server:
  http://technet.microsoft.com/en-in/library/ff468700%28v=office.14%29.aspx
  Vikram Daruru - MSFT

• Server 2008 R2 SP1 with RRAS takes down entire network

  We have a Hyper-V server (2008 R2 SP1) that is running several DC's.  These DC's are for different domains and establish outbound VPN connections using RRAS to sync with remote DC's.  We have a few of this with 20-30 DC's running on each Hyper-V
  server.
  Application of SP1 to the host OS went without issue and everything remained normal.
  Upgraded a single Hyper-V VM from 2008 R2 to 2008 R2 SP1 and everything connected to the physical switch went down.  Ping times went through the roof and timeouts were happening on the local physical network.  All Hyper-V guests on all
  Hyper-V machines had CPU usage that went from about 0% up to averaging 5% to 7%.  The processing taking all the CPU was the LocalServiceNoNetwork one which is related to packet inspection.
  Using the process of elimination, we found that if we stopped RRAS on the Hyper-V guest running 2008 R2 SP1 then everything went back to normal.  We duplicated the same scenario with a different machine...and again, just stopping RRAS fixed everything.
   As soon as RRAS starts, the network crashes.
  Has anyone else seen anything like this?  I plan on opening a case with PSS tomorrow but thought I'd ask.
  Rob
  Rob

  PSS is useless.  They work on the ticket when convenient for their overseas hours and have no idea what is wrong.  They keep asking for the same information over and over.  We've decided to remove the RRAS component from our VM's.  Instead
  we've decided to set up a VPN configuration where we use IPSec tunnels for each VM.  This allows us to remove all the RRAS roles and the issue goes away with SP1 applied.
  There is definitely something wrong with SP1, RRAS and Hyper-V.  Maybe Microsoft can figure it out on their own time.  It is easier and simpler for us to just remove the component.
  For historical reference, the issue seems to be that RRAS with SP1 picks up packets that are not destined for the RRAS tunnel and attempts to retransmit them.  This, in turn, saturates the switches with retransmit packets and takes down the entire network.
  Microsoft has absolutely no clue on how to resolve the issue and the techs have so little knowledge in real networking troubleshooting that it is laughable.
  Rob

• Use of Xerces Parser in out application with Oracle App Server 9.0.4

  The problem in brief:
  Our product is a web-app that runs under various Application servers.
  One of our customers who uses Oracle App server, recently upgraded from 9.0.2 (9g) to 9.0.4 (10g), and our product no longer works with the latter version.
  Our product uses XML parser Xerces 1.1.
  In 9.02 it was possible to replace the App servers parser with Xerces 1.1. In 9.02 it was possible to replace the App servers parser with Xerces 1.1 (We modified the opmn.xml file, setting the Java options for our oc4j instance bootclasspath with xerces parser). Hence, our product works.
  In 9.0.4, apparently, Oracle moved to a different parser, and it no longer allows the parser to be replaced. If the bootclasspath is modified with XERCES(tested various versions of xerces) parser, rightfully so ORACLE Application server does not start.
  Unlike other prominent Application Servers (such as webshpere etc,) the Oracle application server does not support separate JVMs or namespaces for web-apps either.
  We like, oralce application server, OC4J instance for our application to use the xerces parser version qualified with our product. We understand, replacing the XML parser for the entire Oracle Application Server is not supported function.
  Since, Oracle Application Server is loading the oracle 'xmlparserv2' at system class path, though the applicaton has xerces.jar in application path (either in AppLib or web-inf/lib directory, Its not a class loading issue) it is not getting used (since javax.xml.parsers.documentbuilderFactory is mapped to oracle parser).
  So, it looks like the only option available to us is to modify our product to use Oracle's XML parser. This is a major software change, and we want to keep it as last resort option.
  Any suggestion and help will be higly appreciated.
  Perraju Nadakuduty (raju)
  E-mail:[email protected]

  Raju --
  Thanks for the intelligent posting on a difficult issue for you.
  I wasn't aware of anything specifically being introduced that prevented the bootclasspath technique from working** in the 904 release.
  For 904, the bootclasspath needs to be put in the start parameters tag of the java-options tag.
  <process-type id="home" module-id="OC4J" status="enabled">
  <module-data>
  <category id="start-parameters">
  <data id="java-options" ... -Xbootclasspath/a:/java/lib/xerces.jar"/>
  </category>
  </module-data>
  </process-type>
  You can also try copying the xerces.jar into the jre/lib/ext directory so it's loaded by the system classloader and see if that works**. This will put xerces at the extension level so
  **these workarounds are not supported and will put you in an unsupported situation if a problem occurs.
  The good news is that have taken steps to clearly enable the separation of container versus appplication class spaces in thenext production release (10.1.3) of OC4J. We will be providing a new classloading model which cleanly separates the two namespaces and allows applications to provide their own versions or distributions of class libraries with no collisions with the OC4J runtime libraries.
  I don't know of any easy ways to do what you need -- other than reworking the app to use JAXP so that the parser implementation used is pluggable as you kind of allude to. If it was possible, I'd do that rather than hard coding in the use of the Oracle XML parser.
  But just to reiterate, switching in xerces at the bootclasspath level is not a supported operation since it may have an effect on the OC4J runtime operation.
  cheers
  -steve-

• How do i use an external hard drive in conjunction with my itunes account?

  I'm having so much trouble locating music from my itunes account that i previously transferred onto an external hard drive.  I regularly get messages with each sync i try to do telling me that songs could not be located.  Also when i try to play certain songs they have a circled in front of them which prevents me from playing them even on my computer.  I've tried everything in my knowledge to rectify this problem but i just cannot find a solution. Please help.

  Hello ryanbenson,
  With this issue its best to start from scrach.
  -Create a folder on your external, call it itunes music.
  -Find all of your music on your computer and cut and paste it all into that folder.
  -In itunes click music under library on the left and delete all of your music.
  From here you want to add everything back into itunes from the itunes music folder on your external.
  -At the top of itunes click edit, prefrences, then advanced.
  -Make sure keep itunes folder organized is checked.
  -Make sure copy files when adding to library is un checked.
  -At the top it shows iTunes media folder location, to the right of that you can change the location to the external hard drive, to the itunes music folder.  You will have to keep the external connected to play songs in itunes and sync but this is how my itunes is set up.
  -Click ok on the bottom right of the prefrences window
  After all that,
  -Click file at the top, then add FOLDER to library
  -Navigate to your external and click the folder that has all the music.
  -Click ok or add folder or choose folder
  From here all music will start importing back into the library. iTunes will stay organized. You will be able to sync and play your music again.
  Hope this helps.
  ~Julian

• Serving static AAAA records with IOS' DNS server

  Hi guys,
  Has anyone managed to get IOS to serve statically defined AAAA records? I do this just fine with A records as such :
  On the router :
  ip dns server
  ip host ns.example.com 1.1.1.1
  ip host somehost.example.com 1.1.1.2
  ip dns primary example.org soa ns.example.org [email protected] 21600 900 7776000 86400
  From the Linux box :
  unixhost$ dig @1.1.1.1 somehost.example.com
  ; <<>> DiG 9.8.1-P1 <<>> @1.1.1.1 somehost.example.com
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32168
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;somehost.example.com.        IN    A
  ;; ANSWER SECTION:
  somehost.example.com.    10    IN    A   1.1.1.2
  ;; Query time: 1 msec
  ;; SERVER: 1.1.1.1#53(1.1.1.1)
  ;; WHEN: Wed Aug 15 00:42:11 2012
  ;; MSG SIZE  rcvd: 50
  Interestingly whenever I add a static ipv6 entry, I get the SOA as  an answer instead of the actual AAAA record. But from the router itself,  it can use the statically defined hosts just fine.
  On the router :
  ipv6 host somehost.example.com 2001:1:1:1::2
  From the Linux box :
  unixhost$ dig -t AAAA @1.1.1.1 somehost.example.com
  ; <<>> DiG 9.8.1-P1 <<>> -t AAAA @1.1.1.1 somehost.example.com
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53347
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;somehost.example.com.        IN    AAAA
  ;; AUTHORITY SECTION:
  somehost.example.com.        86400    IN    SOA  ns.example.com. [email protected]. 3553994542 21600 900 7776000 86400
  ;; Query time: 1 msec
  ;; SERVER: 192.168.200.252#53(192.168.200.252)
  ;; WHEN: Wed Aug 15 00:42:22 2012
  ;; MSG SIZE  rcvd: 108
  But from the router, it works just fine :
  router#ping ipv6 somehost.example.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2001:1:1:1::2, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
  I'm running 15.2(2)T1.
  Thanks,
  Eric Lauriault

  Hello Everyone,
  in case someone runs into this thread: In our case it turned out that the problem was related to the DNS Server service. Regardless of the above configuration settings on the NIC and in the registry, the DNS server will always register in DNS using
  all of its IPs that the service is listening on. To change this behaviour you can tell the DNS service to only register individual IPS in the registry:
  HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
        Add a Reg_Multi_SZ called "PublishAddresses" and specify the list of IPs
  In our case we added just one of the three configured IPs and from then on the server only registered this address and not the other ones.
  Regards
  HarryNew

• Network Policy Server Policies

  We are using Windows Network Policy Server application as a radius server for VPN connections using windows server 2008 R2.
  On my firewall, we currently have only 1 VPN profile and we have a Network Policy that saysif they are not part of this windows group, they cannot connect to the VPN.
  I have setup two additional vpn profiles for different vendors, etc and set up the test accounts to use different groups and setup new network policies for each one. The issue I am running into is all NPS network policies work with each vpn profile. I would
  like to know how can you setup a policy so they differenciate between each vpn policy so if user is on vpn profile 1 it will use network policy 1 and not allow them access to any of the other vpn profile 2 or 3 because they do not meet the requirements for
  them based off the network policy that is defined.

  Hi,
  According to your description, my understanding is that you wanted the NPS pociles to work differing from the firewall rules/profiles. If I misunderstood anything, please feel free to let me know.
  Based on my experience, it seems that NPS won't do that with firewall profiles. If you want to define different network policies to different user group. You can select the specific user group when specifying conditions of the network policy. More information:
  Network Policy Conditions Properties
  Best regards,
  Susie

• Device Redirection for RD Gateway not possible with MFA and Central Network Policy

  Prior to using Azure MFA with my Remote Desktop Gateway i used a connection authorization policy (CAP), this policy allowed me to limited what devices (drives, printers, clipboard) were redirected when connecting through the gateway. However with MFA i
  had to use a Central Network Policy Servers, which is pointed to my multifactor server, and doing so i know longer have connection policies available to select what device redirection is available. i can set this at the RD session host, however, i only want
  the policy to apply when coming in via the gateway, meaning i don't want users to see their local drives or printers when coming in via Internet, but if they are internal and hit the RD session host i want them to see local drives and printers. So now i have
  no way to limit device redirection if i want to use MFA with my RD Gateway, is there not a work-around for this, this seems like something that was missed?

  It works in my configuration.   I pass back the redirection bitmap from the "base" RADIUS server (that MFA targets) and MFA passes it back to the gateway

• DMZ Ports to Communicate with SCCM Primary Server

  Hello,
  I have searched and came to know that on firewall, following ports should be open for DMZ to communicate with SCCM primary server 
  HTTP 80 and 443
  8530
  TCP 10123
  TCP 135TCP 445
  We are planning to implement a software on DMZ server which should communicate with SCCM primary server.
  Do the above ports work for communication from DMZ to Primary or if there are more ports required for it?
  Is it possible to achieve this without the SCCM client installed on the DMZ server as i would like the software to communicate via its own methods but the required ports should be open.

  Could you please provide the WMI and SQL ports which would be required.
  If we talk about generically, Are below ports enough for a DMZ server to communicate with the primary site server ?
  HTTP 80 and 443
  8530
  TCP 10123
  TCP 135TCP
  445

• OS X Server 10.6 bound to Active directory, serve that as Open Directory

  I have a OS X server 10.6 bound to an Active directory. I can log in to the afp file server with a AD account.
  Now, I like the clients to be connected to Open Directory from the OS X Server and authenticate to the AD.
  Is this possible?
  I like to be able to use network homefolders etc that resides on the OS X server.

  Yes.
  You are working in the right order. Now that you are bound to AD, simply promote the Mac server to OD Master. This will enable the LDAP server. You will likely note that the Kerberos KDC will not be running. This is proper, because the AD server is the KDC.
  Once this is done, you know can create OD groups and add AD users or groups so that you can manage those groups.
  Now, the trick is, you will need to go back to all the workstations and bind them to OS X as well as AD. This will allow the Mac clients to use AD for user authentication and authorization but then use OD for group management policy.
  Hope this helps