I'm in the process of doing proof of concept testing for an 802.1x solution.
We have a requirement for servers to be 802.1x authenticated before accessing the network (it's a long story, there are some physical access control issue we can't resolve at the moment). To do this, we want to use machine authentication against Active Directory so that the servers log on without any need for user intervention.
This works fine with servers that are member servers, I've set up the ACS remote agent, and have servers in the appropriate groups and all is good. In addition to this we are also doing machine and user authentication against the Active Directory for user workstations and this is also working fine.
The problem I have is with Domain Controllers. When they try to authenticate, I get an entry in the failed authentications log, with a reason of internal error. I also see an error message in the Windows event log stating that "an error occurred during logon"
I'm assuming that we have some sort of permissions issue here, and a brief conversation with a colleague who works on the Microsoft side of things indicated that machine accounts for Domain Controllers are different to other accounts, but he wasn't able to add much.
The ACS remote agent is running on a domain controller (not the one we're trying to authenticate) and uses a service account which is a member of the domain admins group so there shouldn't be any problem there.
ACS SE version is 4.1, servers are all Windows 2003R2 with SP2
I'm wondering anyone else has seen a similar problem using ACS and what the resolution was.