NPS Reason Codes 258 Through 282

Applies To: Windows Server 2008, Windows Server 2008 R2

Network Policy Server (NPS) provides reason codes to identify changes, problems, and status via events in Event Viewer while NPS is running. You can use the following reason code definitions to look up reason codes and clarify their meaning.

Note

There are intentional gaps in the numeric sequence of reason codes. For example, the reason codes 38 and 48 exist, but there are currently no reason codes that correspond to the numbers 39 through 47.

Following are some of the reason codes provided by NPS.

Reason code Description

258

NPS cannot access the certificate revocation list to verify whether the user or client computer certificate is valid or is revoked. Because of this, authentication failed.

259

The certification authority that manages the certificate revocation list is not available. NPS cannot verify whether the certificate is valid or is revoked. Because of this, authentication failed.

260

The Extensible Authentication Protocol (EAP) message has been altered so that the Message Digest 5 (MD5) hash of the entire Remote Authentication Dial-In User Service (RADIUS) message does not match, or the message has been altered at the Schannel level.

261

NPS cannot contact Active Directory Domain Services (AD DS) or the local user accounts database to perform authentication and authorization. The connection request is denied for this reason.

262

NPS discarded the RADIUS message because it is incomplete and the signature was not verified.

263

NPS did not receive complete credentials from the user or computer. The connection request is denied for this reason.

264

The Security Support Provider Interface (SSPI) called by EAP reports that the system clocks on the NPS server and the access client are not synchronized.

265

The certificate that the user or client computer provided to NPS as proof of identity chains to an enterprise root certification authority that is not trusted by the NPS server.

266

NPS received a message that was either unexpected or incorrectly formatted. NPS discarded the message for this reason.

267

The certificate provided by the connecting user or computer is not valid because it is not configured with the Client Authentication purpose in Application Policies or Enhanced Key Usage (EKU) extensions. NPS rejected the connection request for this reason.

268

The certificate provided by the connecting user or computer is expired. NPS rejected the connection request for this reason.

269

The Security Support Provider Interface (SSPI) called by EAP reports that the NPS server and the access client cannot communicate because they do not possess a common algorithm.

270

Based on the matching NPS network policy, the user is required to log on with a smart card, but they have attempted to log on by using other credentials. NPS rejected the connection request for this reason.

271

The connection request was not processed because the NPS server was in the process of shutting down or restarting when it received the request.

272

The certificate that the user or client computer provided to NPS as proof of identity maps to multiple user or computer accounts rather than one account. NPS rejected the connection request for this reason.

273

Authentication failed. NPS called Windows Trust Verification Services, and the trust provider is not recognized on this computer. A trust provider is a software module that implements the algorithm for application-specific policies regarding trust.

274

Authentication failed. NPS called Windows Trust Verification Services, and the trust provider does not support the specified action. Each trust provider provides its own unique set of action identifiers. For information about the action identifiers supported by a trust provider, see the documentation for that trust provider.

275

Authentication failed. NPS called Windows Trust Verification Services, and the trust provider does not support the specified form. A trust provider is a software module that implements the algorithm for application-specific policies regarding trust. Trust providers support subject forms that describe where the trust information is located and what trust actions to take regarding the subject.

276

Authentication failed. NPS called Windows Trust Verification Services, but the binary file that calls EAP cannot be verified and is not trusted.

277

Authentication failed. NPS called Windows Trust Verification Services, but the binary file that calls EAP is not signed, or the signer certificate cannot be found.

278

Authentication failed. The certificate that was provided by the connecting user or computer is expired.

279

Authentication failed. The certificate is not valid because the validity periods of certificates in the chain do not match. For example, the following End Certificate and Issuer Certificate validity periods do not match: End Certificate validity period: 2007-2010; Issuer Certificate validity period: 2006-2008.

280

Authentication failed. The certificate is not valid and was not issued by a valid certification authority (CA).

281

Authentication failed. The path length constraint in the certification chain has been exceeded. This constraint restricts the maximum number of CA certificates that can follow this certificate in the certificate chain.

282

Authentication failed. The certificate contains a critical extension that is unrecognized by NPS.