Machine Authentication of Domain Controller

James Rule · ‎06-21-2010

Hi Guys,

I'm in the process of doing proof of concept testing for an 802.1x solution.

We have a requirement for servers to be 802.1x authenticated before accessing the network (it's a long story, there are some physical access control issue we can't resolve at the moment). To do this, we want to use machine authentication against Active Directory so that the servers log on without any need for user intervention.

This works fine with servers that are member servers, I've set up the ACS remote agent, and have servers in the appropriate groups and all is good. In addition to this we are also doing machine and user authentication against the Active Directory for user workstations and this is also working fine.

The problem I have is with Domain Controllers. When they try to authenticate, I get an entry in the failed authentications log, with a reason of internal error. I also see an error message in the Windows event log stating that "an error occurred during logon"

I'm assuming that we have some sort of permissions issue here, and a brief conversation with a colleague who works on the Microsoft side of things indicated that machine accounts for Domain Controllers are different to other accounts, but he wasn't able to add much.

The ACS remote agent is running on a domain controller (not the one we're trying to authenticate) and uses a service account which is a member of the domain admins group so there shouldn't be any problem there.

ACS SE version is 4.1, servers are all Windows 2003R2 with SP2

I'm wondering anyone else has seen a similar problem using ACS and what the resolution was.

Cheers

James

Jagdeep Gambhir · ‎06-22-2010

Hi James,

So you are authenticating Domain Controllers against AD? How will server authenticate itself while in booting stage?

Internal error is generally due to incompatibility issue. ACS 4.1 does not support win2003 SP2.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/device/guide/sdt41.html#wp40144

Please run remote agent using a local account (instead of service account) and see if that fix the issue.

Good Luck

Regards,

~JG

Do rate helpful posts

James Rule · ‎06-22-2010

We're only authenticating some domain controllers against AD. The domain controller which runs the ACS Remote Agent is not on a switch port requiring authentication.

As mentioned, everything is working fine, except for authentication of the domain controllers. Member servers, and users all authenticate to AD without problems. We've even demoted a domain controller to member server and had it work fine, then fail again when we promoted the member server back to domain controller so I'm pretty sure that there is some issue with domain controller machine accounts.

We originally tried running the ACS Remote Agent using a local account. Behavior was the same as when we use a service account.

Jagdeep Gambhir · ‎06-22-2010

Then it seems to be due to incompatibility. Now you will say when it work for normal user and machines why is the issue seen when promoted to domain controller. Well there is huge difference in security settings of a regular machine and of domain controller.

You need to upgrade ACS to 4.2 and that should fix this issue.

Regards,

~JG