NPS Events and Event Viewer

Applies To: Windows Server 2008

NPS events and Event Viewer

Using the event logs in Event Viewer, you can monitor Network Policy Server (NPS) errors and other events that you configure NPS to record.

NPS records connection request failure events in the System and Security event logs by default. Connection request failure events consist of requests that are rejected or discarded by NPS. Other NPS authentication events are recorded in the Event Viewer system log on the basis of the settings that you specify in the NPS snap-in. Some events that might contain sensitive data are recorded in the Event Viewer security log.

Connection request failure events

Although NPS records connection request failure events by default, you can change the configuration according to your logging needs.

Connection requests are rejected or ignored for a variety of reasons, including the following:

  • The RADIUS message is not formatted according to RFCs 2865 or 2866.

  • The RADIUS client is unknown.

  • The RADIUS client has multiple IP addresses and sent the request on an address other than the one defined in NPS.

  • The shared secret is invalid.

  • The message authenticator (also known as a digital signature) sent by the client is invalid.

  • NPS was unable to locate the user name's domain.

  • NPS was unable to connect to the user name's domain.

  • NPS was unable to access the user account in the domain.

When NPS rejects a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, the name of the first matching network policy, the reason for the rejection, and other information.

Connection request success events

Although NPS records connection request success events by default, you can change the configuration according to your logging needs.

When NPS accepts a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, and the name of the first matching network policy.

Warning

Logging connection request successes can result in the recording of large volumes of data. If you choose to log successful connection request events, use event logging options in Event Viewer to manage the Event Viewer logs.

Logging Schannel events

Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These protocols provide identity authentication and secure, private communication through encryption.

Logging of client certificate validation failures is a secure channel event, and is not enabled on the server running NPS by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging

Warning

Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.