Windows 10 Credential Guard breaks WiFi

Recently, I ran into an issue with computers running windows 10 that would not connect to our WPA2-Enterprise encrypted wifi network.  When it failed to connect, there was no indication of why, only the message "Can't connect to this network."  The computers were able to connect to unencrypted networks and networks using a Pre-shared key for WPA encryption without issue.

Checking the event logs on the RADIUS server to see why the comptuer failed to connect, there was no log entry for a connection attempt from the affected system.  The WLAN-Auto-Config log on the client listed a couple of errors, including Event ID 11006 and 12013, but other than showing that the failure reason was "Explicit EAP failure received", they didn't give much to go on:

Log Name:      Microsoft-Windows-WLAN-AutoConfig/Operational
Source:        Microsoft-Windows-WLAN-AutoConfig
Date:          8/15/2016 1:11:20 PM
Event ID:      11006
Task Category: MsmSecurity
Level:         Error
Keywords:      (1024),(512)
User:          SYSTEM
Computer:      computer.domain.com
Description:
Wireless security failed.
Network Adapter: Intel(R) Dual Band Wireless-AC 7265
Interface GUID: {32a54564-27eb-479a-82f3-10a9b736f9d8}
Local MAC Address: AA:BB:CC:DD:EE:FF
Network SSID: CHC1
BSS Type: Infrastructure
Peer MAC Address: 00:11:22:33:44:55
Reason: Explicit Eap failure received
Error: 0x80070285
Log Name:      Microsoft-Windows-WLAN-AutoConfig/Operational
Source:        Microsoft-Windows-WLAN-AutoConfig
Date:          8/15/2016 1:11:20 PM
Event ID:      12013
Task Category: OneXAuthentication
Level:         Error
Keywords:      (1024),(512)
User:          SYSTEM
Computer:      computer.domain.com
Description:
Wireless 802.1x authentication failed.
Network Adapter: Intel(R) Dual Band Wireless-AC 7265
Interface GUID: {32a54564-27eb-479a-82f3-10a9b736f9d8}
Local MAC Address: AA:BB:CC:DD:EE:FF
Network SSID: CHC1
BSS Type: Infrastructure
Peer MAC Address: 00:11:22:33:44:55
Identity: host/computer.domain.com
User:
Domain:
Reason: Explicit Eap failure received
Error: 0x80070285
EAP Reason: 0x285
EAP Root cause String: There was an internal authentication error.
EAP Error: 0x285 
After spending significant time toubleshooting the issue, I found that the issue was caused by the new "Credential Guard" feature in windows 10.  In the technet article documenting this new feature, there is a single line which explains why this was happening:
Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
As it turns out, our radius server and the GPO which pushed our wireless settings out to clients were configured to use MS PEAP for authentication.  At first glance, that doesn't seem to conflict with the statement above, but the P in PEAP stands for protected.  It basically creates an encrypted tunnel first, over which standard EAP authentication takes place.  The EAP communication travelling through that encrypted connection can be configured to use either "Secured Password (EAP-MSCHAP v2)" or "Smart Card or other Certificate".  You can guess which mine was using.

For a Credential Guard enabled computer to authenticate to a WPA2-Enterprise wireless network, the network must use certificate based authentication.  In my case, we already had the PKI in place, so it was a simple matter of configuring the RADIUS server to accept certificate based authentication and changing the Wireless Settings in our GPO to use a certificate for authentication instead of the Secured Password option.  After making these changes and connecting these clients to ethernet to get a group policy update, they were able to successfully authenticate with and connect to the WPA2-Enterprise encrypted network. If you don't already have a Public Key Infrastructure (PKI) set up, this will require installing configuring the Certificate Authority role on a Windows server, and issuing certificates to users and/or computers.  (Ideally, configuring computers to auto enroll with the CA for computer certificates.)

When I was searching online for what could possibly cause my issue, searching for the error message and event details I had turned up nothing useful.  Any posts I found from others with similar errors turned out to be unrelated.  In the end, I did find a single page by Nigel Kemp documenting his experience with this issue, but only after I had already identified the likely culprit and searched specifically for "Credential Guard breaks Wifi".  Still, I was thankful to have the confirmation that I was on the right track.  I hope that by including the specific errors and events in this blog post, it will help others find the solution to this problem a little easier.


Popular posts from this blog

Data Sharing Service crashes on Windows Server 2016 - Event ID 7023

No KMS Key in the VLSC for Windows 10 for OPEN License