NPS: Default Domain

Applies To: Windows Server 2008, Windows Server 2008 R2

You can use this registry setting to provide Network Policy Server (NPS) with a domain name for use during the authentication and authorization of connection requests.

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Configuring the Default Domain Name

While processing connection requests, NPS examines the User-Name portion of the Access-Request message to determine whether a domain name has been specified. If a domain name is specified and NPS is configured to access the user accounts database in the designated domain, NPS proceeds with processing the connection request.

Note

Some network access servers delete or modify the domain name as specified by the user. As a result, the network access request is authenticated against the default domain, which might not be the domain for the user account. To resolve this problem, configure your Remote Authentication Dial-In User Service (RADIUS) servers to change the user name into the correct format with the accurate domain name.

When NPS cannot properly parse the domain identity from the user name attribute in the connection request or the user name does not contain a domain, NPS takes the following actions:

  1. If the NPS server is not a member of a domain, NPS authenticates the user against the local Security Accounts Manager (SAM) database.

  2. If the NPS server is a member of a domain, NPS checks the DefaultDomain registry entry. If a value is specified for DefaultDomain, NPS authenticates the user against the domain specified in the registry entry.

  3. If the NPS server is a member of a domain and a value for the DefaultDomain registry entry is not specified, NPS authenticates the user against the domain to which the NPS server is joined.

Creating the DefaultDomain Registry Key

You must create the new registry key at the following path.

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn

To specify the NPS-supplied domain

By default, the NPS-supplied domain name is the domain of which the NPS server is a member. You can specify a different NPS-supplied domain by browsing to the registry path in Registry Editor and then adding a new key named DefaultDomain. Next, add a new string value to DefaultDomain that is the domain name you require.