Share via

NPS EAP-TLS machine authentication fails, but user certificate authentication works

mmuser-9331 0 Reputation points
2026-04-03T22:28:01.99+00:00

Does anyone have any suggestions? Thank you!

NPS deny reason code 16 using computer certificate(EAP-TLS)

  1. Windows 11 24H2 client
  2. Aruba AP/controller
  3. NPS on Windows Server
  4. PEAP works
  5. user cert works
  6. computer cert fails
  7. machine cert is in Local Computer\Personal
  8. client sends TLS alert, then EAP failure
  9. NPS deny shows Reason Code 16
  10. computer cert matches template on subject, SAN, EKU, key usage, private key
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. HLBui 4,945 Reputation points Independent Advisor
    2026-04-07T08:19:41.0866667+00:00

    Good day mmuser

    If you’ve already double‑checked all the settings then the next place I’d dig is into the trust chain validation and the way NPS is handling machine auth specifically. Even when the cert looks perfect, NPS can still throw Reason Code 16 if it can’t validate revocation (CRL/OCSP). Try running certutil -verify on the machine cert and see if it complains about CRL distribution points or OCSP responders. That’s a sneaky one that often gets missed.

    Another angle: confirm that the NPS policy condition is actually “Authentication Method = Smart Card or other certificate” and scoped to “Computer” as well as “User.” I’ve seen setups where the policy only matches user auth, so machine certs get denied even though they’re valid.

    On the Aruba side, a packet capture of the RADIUS exchange can be really helpful. If the client is sending a TLS alert right away, it usually means the cert isn’t being accepted for handshake either because of EKU mismatch, trust chain, or private key access., then the next place I’d dig is into the trust chain validation and the way NPS is handling machine auth specifically. Even when the cert looks perfect, NPS can still throw Reason Code 16 if it can’t validate revocation (CRL/OCSP). Try running certutil -verify on the machine cert and see if it complains about CRL distribution points or OCSP responders. That’s a sneaky one that often gets missed.

    If you’ve ruled out all of those, I’d also check Group Policy settings around “Computer Authentication” for wireless profiles. Sometimes the profile is set to use user certs only, and the machine cert never even gets presented.

    So in short: verify revocation checks, confirm NPS policy scope, and make sure the wireless profile is actually configured for machine auth

    0 comments
  2. HLBui 4,945 Reputation points Independent Advisor
    2026-04-04T02:43:04.1466667+00:00

    Hi mmuser

    Reason Code 16 in NPS basically means “authentication failed,” but the tricky part is figuring out why the computer cert isn’t being accepted while user certs and PEAP are fine. From what you’ve described, the cert itself looks good (subject, SAN, EKU, key usage, private key all check out), so the issue is usually around trust or how the cert is being presented. A couple of things to double‑check:

    1. Make sure the issuing CA’s root and any intermediate certs are in the Trusted Root Certification Authorities store on both the NPS server and the client. If the chain isn’t trusted end‑to‑end, NPS will throw Reason Code 16.
    2. Confirm that the NPS policy is actually set to allow computer authentication via EAP‑TLS. Sometimes policies are scoped to “User” only, and machine certs get rejected.
    3. On the client side, verify that the cert is in Local Computer\Personal (which you said it is), but also that the private key is accessible by the system account. If the key permissions are off, the TLS handshake fails right away.
    4. Aruba controllers can be picky make sure the RADIUS request is actually sending the machine identity and not defaulting back to user auth. A packet capture can help confirm what’s being sent.
    5. Finally, check if the template used to issue the cert has Client Authentication in EKU. Even if everything else looks right, missing that EKU will cause NPS to deny it.

    If you walk through those checks, you’ll usually find the culprit. And if this answer helps you get past the Reason Code 16 headache, don’t forget to hit “Accept Answer” and let me know if you need any assistance. Thank you!

  3. Q&A Assist
    2026-04-03T22:28:13.6933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Reason Code 16 in NPS with EAP‑TLS almost always means the certificate presented by the client does not meet the EAP‑TLS requirements that NPS is enforcing. Because user certificates work but computer certificates fail, focus on the specific machine‑cert requirements for EAP‑TLS and NPS policy.

    Key checks to make on the computer certificate and NPS policy:

    1. Extended Key Usage (EKU) for EAP
      • For EAP‑TLS, the client certificate must have at least one of these EKUs:
        • Client Authentication (OID 1.3.6.1.5.5.7.3.2), or
        • Any Purpose (OID 1.3.6.1.4.1.311.10.12.1), or
        • All Purpose (EKU value 0 as defined in RFC 5280).
      • If the computer certificate has other EKUs but not one of the above, NPS will reject it for EAP‑TLS.
    2. Certificate chain and trust
      • The computer certificate must chain to a trusted root CA on the client and on the NPS server.
      • The certificate must not fail any CryptoAPI checks (revocation, validity, etc.) and must pass all requirements in the NPS remote access policy.
    3. Subject Alternative Name (SAN) / UPN
      • For EAP‑TLS, the SubjectAltName extension on the client certificate must contain the user principal name (UPN) of the identity being authenticated.
      • If the template used for the computer certificate does not populate SAN with a UPN that matches the machine account identity used for 802.1X, NPS will deny authentication.
    4. NPS policy OID filtering
      • NPS remote access policies can enforce certificate OID checks. If the policy is configured to require specific OIDs that the computer certificate does not have (even if the user certificate does), the machine auth will fail while user auth succeeds.
    5. Location and type of certificate on the client
      • The certificate must be a computer certificate in the Local Computer\Personal store, not a smart‑card or password‑protected registry‑based certificate.
      • EAP‑TLS will not use registry‑based smart‑card certificates or password‑protected certificates for 802.1X.
    6. Server certificate and NPS configuration
      • Ensure the NPS server certificate used for PEAP/EAP‑TLS meets the server requirements (Server Authentication EKU, trusted root, correct subject name/FQDN) so that the TLS handshake can complete for both user and computer authentication.

    Given that user certificates work, compare the working user certificate and the failing computer certificate side‑by‑side:

    • Confirm EKU includes Client Authentication or Any/All Purpose on the computer cert.
    • Confirm SAN contains the correct UPN for the machine account.
    • Confirm the same issuing CA and full chain are trusted on NPS.
    • Check NPS policy conditions for certificate OID filters that might exclude the machine cert.

    Adjust the computer certificate template (EKU, SAN/UPN population) and NPS policy to match the documented EAP‑TLS client requirements, then re‑enroll the machine certificate and test again.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.