Cross-Domain Authentication Issues with Network Policy Server (NPS)

Question

Cross-Domain Authentication Issues with Network Policy Server (NPS)

Avery Brennen 0

Two Active Directory domains (A and B) exist within a single forest with a two-way trust relationship. Each domain has its own Microsoft Network Policy Server (NPS) functioning as a RADIUS server. The goal is to enable users from Domain A to authenticate on network devices utilizing the NPS server in Domain B. Cross-domain authentication is failing, producing the error: “Authentication failed due to a user credentials mismatch. Either the username provided does not map to an existing user account, or the password was incorrect.”

This error arises in two configurations: (1) Domain B’s NPS querying Domain A directly for user credentials and (2) Domain B’s NPS forwarding requests to Domain A’s NPS (RADIUS proxy). Local-domain logins succeed; however, Domain A accounts are rejected on Domain B’s NPS, despite the established two-way trust.

The team has verified the following potential issues do not apply in this case, yet the problem persists, resulting in incorrect password messages and account lockouts. The NPS requests are indeed forwarded, with rejection logs visible on the receiving NPS server.

NPS Not Registered in the User’s Domain: Both NPS servers are confirmed to be registered.
Trust Authentication Settings: The trust is confirmed to be configured for Selective Authentication, allowing for explicit permissions for Domain B’s NPS to authenticate Domain A users.
Username Format/Realm Issues: The User-Name in the RADIUS request must correctly indicate the domain. Various login formats have been attempted (e.g., “DomainA\user” and “******@DomainA.com”) without success.
NPS Policy or Protocol Mismatch:
- From the NPS server in Domain A (acting as proxy receiver):
  - RADIUS Client: Client Friendly Name: DomainB-NPS1
    - Client IP Address: 10.X.X.3
      - Authentication Details: Connection Request Policy Name: Use Windows authentication for all users
        
        Network Policy Name: -
        
        Authentication Provider: Windows Authentication
        
        Server: DomainA-NPS1.local
        
        Authentication Type: PAP
        
        Reason Code: 16
        
        Reason: Authentication failed due to a user credentials mismatch.
RADIUS Proxy Configuration Issues (Scenario 2): Both NPS servers require appropriate configurations for forwarding requests, and policies need to be properly set to allow Domain A to utilize Domain B as a remote RADIUS server. This has also been done.

Further assistance from the Microsoft team is being sought due to the limited number of users encountering this specific issue.

1 answer

Your answer

Answer 1

Dear Avery Brennen,

Based on the information provided, it’s clear that the trust relationship is correctly configured with Selective Authentication, and both NPS servers are registered and forwarding requests as expected. The error message—“Authentication failed due to a user credentials mismatch”—suggests that while the RADIUS request is reaching Domain A’s NPS, the credentials are not being validated successfully.

Given that multiple username formats have been tested and local-domain logins are successful, we recommend verifying the following additional areas:

Ensure that Domain B’s NPS server has been explicitly granted the “Allowed to authenticate” permission on the Domain A user accounts or groups, as required under Selective Authentication.

Confirm that the authentication protocol (PAP) is supported and permitted for the user accounts in Domain A, especially if any conditional access or password policies are in place.

Review the Connection Request Policy and Network Policy configurations on both NPS servers to ensure they do not inadvertently filter or reject requests based on domain or authentication type.

We also suggest enabling detailed logging on both NPS servers and reviewing the Security Event Logs for any Kerberos or NTLM-related failures that may provide further insight.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Best regards,

Harry Phan

Avery Brennen 0 Reputation points

2025-08-28T21:03:29.34+00:00

I will be testing these step-by-step to see which one truly resolves the issue for me.

Thank you for reaching out with such a quick response! I attempted to allow the NPS server from Domain B to "Allow to authenticate" on my admin account in Domain A and I was still receiving a login failure.

Confirmed the only RADIUS server forwarding requests was the new server we have setup. I was hoping that would work, but I know there are a couple more things we can do.

Where is the location I can check these two?

Confirm that the authentication protocol (PAP) is supported and permitted for the user accounts in Domain A, especially if any conditional access or password policies are in place.

Review the Connection Request Policy and Network Policy configurations on both NPS servers to ensure they do not inadvertently filter or reject requests based on domain or authentication type.

The network policy we use has PAP, SPAP as an authentication method.

The Connection request policy that answers Domain Users has the following conditions:

Day and Time: 24/7

User Name DOMAIN \\*

I will admit when I attempted my login from the switch it was in this format DOMAIN\usercreds. Don't know if that matters but I know it is an important detail.

Share via

Cross-Domain Authentication Issues with Network Policy Server (NPS)

1 answer

Your answer