NPS Reason Codes 0 Through 37

Applies To: Windows Server 2008, Windows Server 2008 R2

Network Policy Server (NPS) provides reason codes to identify changes, problems, and status via events in Event Viewer while NPS is running. You can use the following reason code definitions to look up reason codes and clarify their meaning.

Note

There are intentional gaps in the numeric sequence of reason codes. For example, the reason codes 38 and 48 exist, but there are currently no reason codes that correspond to the numbers 39 through 47.

Following are some of the reason codes provided by NPS.

Reason Code Description

0

The connection request was successfully authenticated and authorized by Network Policy Server.

1

The connection request failed due to a Network Policy Server error.

2

There are insufficient access rights to process the request.

3

The Remote Authentication Dial-In User Service (RADIUS) Access-Request message that NPS received from the network access server was malformed.

4

The NPS server was unable to access the Active Directory Domain Services (AD DS) global catalog. Because of this, authentication and authorization for the connection request cannot be performed, and access is denied.

5

The Network Policy Server was unable to connect to a domain controller in the domain where the user account is located. Because of this, authentication and authorization for the connection request cannot be performed, and access is denied.

6

The NPS server is unavailable. This issue can occur if the NPS server is running low on or is out of random access memory (RAM). It can also occur if the NPS server fails to receive the name of a domain controller, if there is a problem with the Security Accounts Manager (SAM) database on the local computer, or in circumstances where there is a Windows NT directory service (NTDS) failure.

7

The domain that is specified in the User-Name attribute of the RADIUS message does not exist.

8

The user account that is specified in the User-Name attribute of the RADIUS message does not exist.

9

An Internet Authentication Service (IAS) extension dynamic link library (DLL) that is installed on the NPS server discarded the connection request.

10

An IAS extension dynamic link library (DLL) that is installed on the NPS server has failed and cannot perform its function.

16

Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect.

17

The user's attempt to change their password has failed.

18

The authentication method used by the client computer is not supported by Network Policy Server for this connection.

19

Challenge Handshake Authentication Protocol (CHAP) is being used as the authentication method for the connection request, however CHAP is not configured to store a reversibly encrypted form of user passwords.

With CHAP, reversibly encrypted password storage is required. You can enable reversibly encrypted password storage per user account or for all accounts in a domain using Group Policy. To enable reversibly encrypted password storage for a user account, obtain the properties of a user account in AD DS, click the Account tab, and then select the Store password using reversible encryption check box.

To allow reversibly encrypted password storage for all user accounts in the domain, add the Group Policy Management Editor snap-in to the Microsoft Management Console (MMC) and enable the default domain policy setting Store password using reversible encryption at the following path: Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Password Policies.

20

The client attempted to use LAN Manager authentication, which is not supported by Network Policy Server. To enable the use of LAN Manager authentication, see NPS: LAN Manager Authentication.

21

An IAS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

22

Network Policy Server was unable to negotiate the use of an Extensible Authentication Protocol (EAP) type with the client computer.

23

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. By default, these log files are located at %windir%\System32\Logfiles.

32

NPS is joined to a workgroup and performs the authentication and authorization of connection requests using the local Security Accounts Manager database, however the Access-Request message contains a domain user name. NPS does not have access to a domain user accounts database. The connection request was denied.

33

The user that is attempting to connect to the network must change their password.

34

The user account that is specified in the RADIUS Access-Request message is disabled.

35

The user account that is specified in the RADIUS Access-Request message is expired.

36

The user's authentication attempts have exceeded the maximum allowed number of failed attempts specified by the Account lockout threshold setting in Account Lockout Policy in Group Policy. To unlock the account, obtain the user account properties in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, click the Account tab, and then click Unlock account.

37

According to AD DS user account logon hours, the user is not permitted to access the network on this day and time. To change the account logon hours, obtain the user account properties in the Active Directory Users and Computers snap-in, click the Account tab, and then click Logon Hours. In the Logon Hours dialog box, configure the days and times when the user is permitted to access the network.