Security

Reply

Re: Windows using domain\machinename$ during Computer Authentication

In case anyone else is still following this topic - additional behavior I've noticed with Windows 8.1/10 and the format of the computer authentication.

 

This is specific to profile set as "User or computer authentication" with native Windows Supplicant on a 802.1x WPA2Enterprise - PEAP-MSCHAPv2 SSID. If a user interactively brings up the Wi-Fi taskbar on the logon screen, selects the corporate ssid, and clicks "Connect" manually - then the laptop will attempt to authentcate as "Domain\MachineName$". If the Wi-Fi is "toggled" or it attempts to automatically connect (connect automatically setting) without user-interaction of the "Connect" button - the laptop will attempt to authenticate as "host\FQDN-MachineName".

Occasional Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

I am having the same problem. Did you ever find a solution?

Brett W.
K-12

Re: Windows using domain\machinename$ during Computer Authentication


@brettmwill wrote:

I am having the same problem. Did you ever find a solution?


If referring to me. I unfortunately was not able to find the solution. I've been meaning to finally sit down and open a ticket with Microsoft concerning this behavior. I had a lengthy discussion on the TechNet forums whom agreed the "samAccountName" is only for legacy purposes. They informed me last year that in their test lab they couldn't reproduce the specific behavior I was reproducing. I'm hoping to get some time once our third engineer returns and open a ticket with Microsoft -> which bore fruit last time concerning the "Duplicate Profile" issue I discovered last year.

 

https://social.technet.microsoft.com/Forums/en-US/da7c5e3d-b974-4f95-852e-09f7333cfa1c/retriggering-computer-authentication-without-restart?forum=win10itpronetworking

Occasional Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

We're facing the same problem.

 

We're using Windows 10 versions 1709 and 1803. I configured the wireless network profile manually, so no GPOs were involved.

We use EAP-TTLS with EAP-MsChapV2 and windows logon credentials.

The reason we use EAP-TTLS is because we need to use a specific realm in the outer identity and this can't be configured in EAP-PEAP.

 

The settings we used are as follows:

In the Security tab:

WPA2-Enterprise, AES, Microsoft: EAP-TTLS, tagged remember my credentials

EAP-TTLS Settings:

tagged enable identity privacy: anonymous@realm.tld, connect to these servers: radius.domain.tld, tagged only the correct CA, untagged don't prompt user, Eap method for authentication: EAP-MSCHAP v2.

EAP MSCHAPv2 properties:

tagged automatically use my windows logon name

Advanced Security settings:

tagged specify authentication mode: User or computer authentication, untagged delete credentials, tagged enable single sign on, selected after user logon, maximum delay: 10 seconds, tagged allow dialogs, tagged this network uses separate vlans

 

We reproduced the problem as follows:

- turn on the computer and it will succesfully authenticate as host/computer.fqdn

- log on as user and domain\user will succesfully authenticate

- disconnect the wireless network and log out from the computer

- at the logon screen connect to the wireless network again.

- It will now unsuccesfully try to authenticate as domain\computername$.

 

We haven't found a solution as of yet, but are keen to find one.

Occasional Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

An update:

All you need to do to recreate the problem is go to the log on screen.

If the windows 10 client automatically connects it will use host/machine.fqdn.

If you connect the client manually it will use domain\machinename$ .

 

Highlighted
Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

Same here.

We deployed both wired and wireless profiles via GPO, with the same settings. Wired always uses host/fqdn, manual wireless connection at the logon screen always fails because of netbiosname\hostname$ fails to authenticate. Exactly as described above.

All computers are Windows 10 up to date.

 

Anybody had luck with Microsoft support tickets? As pushing the registry value of the servicePrincipalName (as described in here) via GPO s quite challenging.

 

Occasional Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

Well you could set the value of szName in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 with a GPO to the servicePrincipalName with something like host/%COMPUTERNAME%.%USERDOMAIN% , but the problem is that the value is overwritten before it can be used to manually authenticate to the SSID.

Re: Windows using domain\machinename$ during Computer Authentication

Taking another crack at this again at TechNet finally. I'm curious what the difference is between their lab environment, the original posters, and everyone elses is. Since TechNet and OP couldn't reproduce this problem in their environment, but several other folks are.

jjm
New Contributor

Re: Windows using domain\machinename$ during Computer Authentication

Has anyone found a solution to this yet? Currently running into the same situation in my environment. Been searching the web trying to solve it myself before having to call support...

Occasional Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

I haven't found a solution yet. I also found out that "Wired AutoConfig" 802.1x authentication reacts in the same way, so it's not only the wireless stack that suffers from this issue.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: