question

Marcus-9726 avatar image
0 Votes"
Marcus-9726 asked Marcus-9726 commented

Setup Microsoft NPS as RADIUS server for multi-forest AD (Two Way Trust Relationships)

Is there any steps or guidelines on how to setup/configure NPS for multi-forest (two-way trust) environment? Tried to look for the details but couldn't find any. Hopefully someone here could assist me with the following as well:

  1. Do I need each network policy for each of the forest?

  2. The setup is for PEAP-MSCHAP-V2, so do I need to import CA cert into the NPS server from each of the forests?

  3. Can one network policy contain multiple CA cert? If we have to import CA cert from each forests does it means that we will need multiple network policies as well?

Sorry this is my first time setting up NPS for multi forest, please forgive me if these are stupid questions.



windows-server
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just want to confirm the current situations. You could accept the useful reply as answer if you want to end this thread up.  It will encourage the person who help you. Appreciate your understanding. :)

If there is anything else I can do for you, please feel free to post in the forum.

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT converted comment to answer

Hi @Marcus-9726,

Yes, in theory, your thoughts are right.

Based on my discussion with my colleagues, you need one NPS server in multi-forest (two-way trust) environment. If you setup PEAP-MSCHAP-V2, NPS server should have CA certs from each of the forests. That's to say, you need multiple network policies that contain different CA cert from each of the forests.

Best Rehards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CandyLuo-MSFT ,

Thanks for your reply.

According to your reply:

  1. Meaning I only install 1 NPS RADIUS server in the multi forest environment? Lets say I have abc.com, abc.local, abc.xyz, abc.io. I only have to install one NPS server in abc.com forest right?

  2. According to your answer about the CA certs and network policies, meaning from NPS server I have to request certificate and issue it to the NPS server from all the forest CA? Then create total of 4 network policies for each of the forests with different CA certs accordingly? How about the network policies processing order? Will it affect anything?

  3. Is there a need to install NPS Proxy?


0 Votes 0 ·
  1. YES.

  2. YES. The order of network policies should not have much impact.

  3. From Microsoft official document, it seems you need to use a Radius proxy if you use EAP-TLS or PEAP-TLS with certificates:

103778-1.jpg

For your reference:

NPS as a RADIUS Server and Proxy



0 Votes 0 ·
1.jpg (89.1 KiB)
Marcus-9726 avatar image
0 Votes"
Marcus-9726 answered Marcus-9726 commented

Hi @CandyLuo-MSFT ,

For the third point I'm a bit confusing as it stated I must use a RADIUS proxy for authentication across forests if that consists of Windows Server 2008 and Windows Server 2003 domains. If my domain/forest functional level is 2008 R2 or 2012 do I need the RADIUS proxy as well?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, no matter the functional level, you still need to use RADUIS proxy servers that forward authentication requests to the appropriate forest, even when the forests have a two-way, transitive trust relationship.

The reason is that without Radius Proxy, the SPN (Service Principal Name) lookup in AD does not work. When the NPS server receives the computer identity, it is in the form of an SPN (host/ComputerName.DNSDomainName). The NPS server passes the SPN to the local global catalog. If the global catalog is unable to match the SPN to a local domain account, it will fail the request with a No Valid Account Found error condition.


0 Votes 0 ·

In that case I would have to deploy it as below?

  1. One NPS RADIUS server in the abc.com forest

  2. Import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io)

  3. Add all RADIUS clients and create 4 network policies with each CA certs

  4. Setup one NPS RADIUS proxy (Where should we place this server? Can it be on the same subnet/forest as NPS RADIUS server? )


Thank you.






0 Votes 0 ·

The best recommended configuration for cross forest/domain authentication scenario will be to configure NPS Proxy on individual forest environment which helps to authenticate users successfully.
The detailed steps I will send you tomorrow.




0 Votes 0 ·
Show more comments
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered Marcus-9726 commented

Hi @Marcus-9726,

For certificate authentication, you need to configure 4 NPS server for each forest:

  • One NPS RADIUS server in the abc.com forest, import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io), add all RADIUS clients and create 4 network policies with each CA certs.

  • One NPS both act as a RADIUS server and a RADIUS proxy in the abc.local, one network policy for own domain.

  • One NPS both act as a RADIUS server and a RADIUS proxy in the abc.xyz, one network policy for own domain.

  • One NPS both act as a RADIUS server and a RADIUS proxy in the abc.io, one network policy for own domain.

For how to configure NPS proxy:

Use NPS proxy and rely on the realm name to forward the RADIUS request to the right NPS server (the one that belongs to abc.com).

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-realm-names

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy

What needs to be configured on NPS:

  • Create Remote Radius Server group with the NPS server for the abc.com domain.
    103898-image.png

  • Create a new Connection Request Policy.

  • Condition is to match the realm on the username with format *@domain.com (e.g. *@abc.local)
    103958-image.png

  • Authentication is forwarded to the previous created Remote RADIUS server group:
    103985-image.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




image.png (241.9 KiB)
image.png (459.0 KiB)
image.png (321.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CandyLuo-MSFT ,

Thanks for the detail steps. Just wondering is it necessary to configure NPS as RADIUS server on each forests? I thought we would just need 1 NPS RADIUS server and the other should be NPS Proxy?

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered Marcus-9726 commented

Hi,

Just wondering is it necessary to configure NPS as RADIUS server on each forests? I thought we would just need 1 NPS RADIUS server and the other should be NPS Proxy?

Yes, 1 NPS RADIUS server and the other should be NPS Proxies are enough. I need to correct one place, don't add all RADIUS clients to NPS RADIUS server in the abc.com forest. The configuration should as below:

  • One NPS RADIUS server in the abc.com forest, import CA certs to RADIUS server from all forest CA (eg: nps1.abc.com, nps1.abc.local, nps1.abc.xyz, nps1.abc.io), create 4 network policies with each CA certs.

  • One RADIUS proxy in the abc.local forest, add radius client from own domain.

  • One RADIUS proxy in the abc.xyz forest, add radius client from own domain.

  • One RADIUS proxy in the abc.io forest, add radius client from own domain.

Best Regards,
Candy

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CandyLuo-MSFT ,

Just two last question, from the NPS proxy do we need to configure the network policy? As I know we don't have to create network policy in NPS proxy, so in this case we just have to add in the RADIUS client from each forest into the NPS proxy accordingly right? Please correct me if I'm wrong.

Other than adding the NPS proxy in each forest is there any other ways that we can achieve the deployment without NPS proxy? I've came across this discussion and it mentioned to configure "Selective Authentication Trust", is this feasible as well for two way trusts?

Thank you.

0 Votes 0 ·
  1. YES. Youd don't need to configure the network policy. If you want to use one NPS server in the multiple forest, then you need NPS proxy to forward the RADIUS request to the that NPS server.

  2. As far as I know, for certificate authentication, you must need NPS proxy.

In fact, there is no Microsoft official document talking about the detailed deployment for NPS across multiple forest. The above conclusions are based on our experience and discussion with my colleagues and some internal resource.

If you want to learn more details, you might consider opening an Advisory case to our Premier support team, they will have more resource to answer your question in detailed information.

For more information about our Premier support, please check the following link:

https://www.microsoft.com/en-us/microsoftservices/support.aspx

Hope this can help with you.

0 Votes 0 ·

Hi Candy,

Noted on the information given and thanks a lot for your kind assistance:)

Thank you.

0 Votes 0 ·
Show more comments