I deployed an ACS (running on Windows Server 2003 R2 SP1) to authenticate wireless clients (WLC is the authenticator). The ACS is configured to authenticate Windows machines against Microsoft Windows Active Directory. The ACS runs on a member server and authenticates with the AD. PEAP machine authentication is enabled.
Originally the ACS is v4.0, I hit the bug with the following error message in AUTH.log:
AUTH 02/09/2007 10:44:21 E 0376 3076 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
I upgraded to v4.1 since then, which is supposed to fix the bug.
It's been running fine for a month until recently when the ACS failed to authenticate users again. But this time, the above error did not appear. So I suppose I can rule out the possibility that ACS v4.1 upgrade causes the issue.
I got the following authentication failure messages:
AUTH 03/13/2007 09:03:22 I 1645 4312 pvAuthenticateUser: authenticate 'host/DH32G1S.dept.ent.abc.com.my' against Windows Database
AUTH 03/13/2007 09:03:22 I 0396 4312 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [host/DH32G1S.dept.ent.abc.com.my]
AUTH 03/13/2007 09:03:22 I 0396 4312 External DB [NTAuthenDLL.dll]: Could not find machine host/DH32G1S.dept.ent.abc.com.my 
AUTH 03/13/2007 09:03:22 I 0396 4312 External DB [NTAuthenDLL.dll]: host/DH32G1S.dept.ent.abc.com.my is not a valid machine name
Little info can be found on cisco.com with regards to how ACS actually authenticates with AD and how to interpret messages such as the ones above, whether it's ACS issue or AD issue.
During the incident, I noticed many "NT AUTHORITY\ANONYMOUS LOGON" messages in the ACS machine's Event Viewer.
When I did the initial installation of ACS, I didn't perform the post-installation tasks because without which the setup still works. I'm not certain whether this could cause the issue.
According to domain admin, the AD is running on native Windows 2000 mode.