Access Request Was Denied

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In a Network Access Protection (NAP) deployment, this problem typically occurs when:

  • The client access request does not match a connection request policy or a network policy.

  • The network access request matches a policy that is configured to deny access.

  • For the 802.1X enforcement or VPN enforcement methods, the connection request policy is incorrectly configured.

Description of system behavior

The behavior of NAP client computers that are denied network access will depend on the type of NAP enforcement method used.

  • With IPsec enforcement, client computers will not be issued a NAP health certificate.

  • With 802.1X enforcement, client computers will fail 802.1X authentication and might have guest access properties applied to the connection.

  • With VPN enforcement, the VPN connection will be terminated.

  • With DHCP enforcement, the client computer will not acquire a DHCP-issued IP address configuration.

Associated operating system events

  • NPS event ID 6273: The Network Policy Server denied access to a user.

Root cause diagnosis and resolution

There are several possible issues that can cause Network Policy Server (NPS) to deny access to a user. For a list of reason codes associated with NPS event 6273, see NPS Reason Codes (https://go.microsoft.com/fwlink/?LinkID=136640).

No policies are matched

NPS will process a network access request by first attempting to find a matching connection request policy. If a connection request policy is matched, NPS will then attempt to find a matching network policy. Network access will be denied if the access request fails to match both a connection request policy and a network policy.

Resolution

To resolve this problem, you must understand why the client network access request failed to match a policy. The reasons can include a configuration problem on the client, a policy configuration problem, or both. One solution is to create additional policies at the bottom of the policy processing order that will match all network access requests. If the client matches this policy, then you can begin adding conditions to the policy until the client fails to match a condition. This allows you to identify the condition that is causing the client to be denied access to the network. Next, investigate why the client does not match this condition. If the client computer fails to match a network policy when you configure a health policy condition, check the client settings and verify that the NAP Agent service is running and the correct enforcement client is enabled and initialized.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. On the server running NPS, click Start, click Run, type nps.msc, and press ENTER.

  2. In the NPS console tree, open Policies\Connection Request Policies. Review the configuration and processing order of the connection request policy used to match NAP client access requests.

  3. In the NPS console tree, open Policies\Network Policies. Review the configuration and processing order of the network policy used to match NAP client access requests.

  4. If no errors are found in connection request policy or network policy configuration, check the status of NAP Agent on the client computer and confirm the enforcement client is enabled. For more information, see Review NAP client settings.

A policy denies access

If the client access request matches a default policy (for example, Connections to other access servers), access might be denied. By default, this policy is configured to deny network access.

Resolution

If the client access request matches a policy that is configured to deny access, it is possible the policy should not be configured to deny access or the client should not match this policy. It is possible for a noncompliant network policy to be mistakenly configured with an Access Permission setting of Deny Access. A correctly configured noncompliant network policy has an Access Permission setting of Grant Access. If you are using NAP with full enforcement, noncompliant NAP client computers receive restricted network access when you use a NAP Enforcement setting of Allow limited access.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. On a server running NPS, click Start, click Run, type nps.msc, and press ENTER.

  2. In the NPS console tree, open Policies\Network Policies. Right-click the name of your noncompliant NAP client network policy, and then click Properties.

  3. On the Overview tab, under Access Permission, select Grant access if the connection request matches this policy, and then click OK.

Incorrect connection request policy configuration

If you are using NAP with 802.1X enforcement or VPN enforcement, you must select Override network policy authentication settings when you configure connection request policy. If this setting is not configured, then client access requests will be denied with the following reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Resolution

When you use NAP with 802.1X enforcement or VPN enforcement, access requests must be authenticated in connection request policy.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. On a server running NPS, click Start, click Run, type nps.msc, and press ENTER.

  2. In the NPS console tree, open Policies\Connection Request Policies.

  3. Right-click the name of your NAP client connection request policy, and then click Properties.

  4. On the Settings tab, click Authentication methods.

  5. Select Override network policy authentication settings, and then click OK.