question

TerrySmith-4159 avatar image
0 Votes"
TerrySmith-4159 asked TerrySmith-4159 commented

Expired certificate lead to inability to log in

I run a small network at a private school. My predecessors had a host of Virtual Microsoft servers operating things (versions 2003 to 2012). Though I can keep up with most MS enterprise environments I'm no expert and everything I do know has been gleaned from forums and past coworkers (aka no real schooling in the area). My efforts have been in moving our resources to the cloud and Azure services and I've missed a couple maintenance benchmarks along the way.

My current dilemma has to do with the security certificates in the domain. I accidentally allowed the certificate to expire (as of Jan 21, 2021). I believe I've successfully renewed it, though I can't really say for certain as I don't know what to look for. The initial indicator was when my wifi users stopped being able to log into the network with their devices using their domain credentials sending me down the rabbit hole of Radius and NPS research and learning.

Following some updates to my Wireless APs firmware and Managed network switches I have regained some connection for most users but not for everyone. Furthermore, I can't seem to find the reason for any of it.

As of 2 days ago I have some wired workstations where only admin users can log in and anyone else trying to log in receives the following message: "the sign-in method you're trying to use isn't allowed". I also have found some users are losing the ability to print to network printers.

I believe this is all tied to the original security certificate issue and I've done something incorrectly. I'm pretty desperate here - any help would be appreciated.

windows-server-securitywindows-server-infrastructure
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Daisy? Anyone?

0 Votes 0 ·

Hello @TerrySmith-4159,

Thank you for your update.

Based on the description, I understand your question is related to network, I will locate the engineer from network to help you further.

Thank you for your understanding.



Best Regards,
Daisy Zhou

0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered SunnyQi-MSFT edited

Hi,

Thanks for posting in Q&A platform.

Please help confirm if the issue occurred after the certificate expired first. Is the user has connection issue when the certificate wasn't expired?

If the user still has connection issue when the certificate wasn't expired, please refer to the following answer.

Following some updates to my Wireless APs firmware and Managed network switches I have regained some connection for most users but not for everyone.

May I know what kind of users cannot connect to Wi-Fi?

Based on provided screenshot, the reason for unable to connect was "Authentication was not successful because an unknown user name or incorrect password was used".

Please confirm the user has been created in ADUC and the password was correct.

As for Event 6273, this event log might be caused by one of the following conditions:

  • The user does not have valid credentials

  • The connection method is not allowed by network policy

  • The network access server is under attack

  • NPS does not have access to the user account database on the domain controller

  • NPS log files or the SQL Server database are not available

For more detailed methods regarding how to troubleshoot Event ID 6273, please refer to the following article:

Event ID 6273 — NPS Authentication Status

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TerrySmith-4159 avatar image
0 Votes"
TerrySmith-4159 answered

![64557-image.png][2]


![64625-image.png][3]


[2]: /answers/storage/attachments/64633-image.png


image.png (46.5 KiB)
image.png (53.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TerrySmith-4159 avatar image
0 Votes"
TerrySmith-4159 answered

Hello Daisy, thanks so much for the reply! I'll do my best to answer your questions but please have patience with me as my understanding of security certificates is limited.

1.What account do you use to sign in? Is it normal domain user account?
I log in with a domain administrator account.

2.What machine did the user log on? Is it DC or domain client/server?
The workstations being used to log on are domain-joined Windows 8.1 computers
The WiFi devices trying to gain access through RADIUS and using NPS are an assortment of phones, tablets, chromebooks and laptops (windows and mac). I had 2 windows laptops (10 and 8.1) that were domain-joined which couldn't connect to the RADIUS WiFi or log in with their domain accounts. They were able to log in after I connected them to a WPA2 wifi network and added their domain accounts to the local admin group on their computers.

3.How did the user logon the machine? Locally or remotely?
All connections are local here. No VPN access and no remote viewers involved.

1.Do you have your internal CA server?
Yes I do, though I'm not clear on WHICH of the multiple servers it is. I've been having difficulty finding the dump from Certutil.exe to confirm. I will post back here when I find out.

2.What certificate was expired? User certificate or computer certificate or Root CA certificate?
It was a certificate for the server hosting NPS and RADIUS as far as I understand. But this is clearly where I am out of my depth - I don't understand.

3.What error message when there is inability to log in?
Wifi users were just getting dummy messages like "unable to connect". I have some log info from the RADIUS server that I will post following this post which mat provide more info.
Users logging into computers were getting "the sign-in method you're trying to use isn't allowed"

The only reason I mention the printing issue is that I believe authentication is the source of the issue which I believe all links back to this certificate issue.

Thanks for your help!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @TerrySmith-4159,

Thank you for posting here.

Based on the description above, I understand you have issue "As of 2 days ago I have some wired workstations where only admin users can log in and anyone else trying to log in receives the following message: "the sign-in method you're trying to use isn't allowed".", would you please confirm the following information:

1.What account do you use to sign in? Is it normal domain user account?
2.What machine did the user log on? Is it DC or domain client/server?
3.How did the user logon the machine? Locally or remotely?

Meanwile, you mentioned expired certificate lead to inability to log in, would you please confirm the information:

1.Do you have your internal CA server?
2.What certificate was expired? User certificate or computer certificate or Root CA certificate?
3.What error message when there is inability to log in?

Tip: For the issue "I also have found some users are losing the ability to print to network printers.", I am sorry, I am not expert on printer, I suggest you can repost by selecting printer tag.

Thank you for your understanding.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.