I'm in the process of doing proof of concept testing for an 802.1x solution.
We have a requirement for servers to be 802.1x authenticated before accessing the network (it's a long story, there are some physical access control issue we can't resolve at the moment). To do this, we want to use machine authentication against Active Directory so that the servers log on without any need for user intervention.
This works fine with servers that are member servers, I've set up the ACS remote agent, and have servers in the appropriate groups and all is good. In addition to this we are also doing machine and user authentication against the Active Directory for user workstations and this is also working fine.
The problem I have is with Domain Controllers. When they try to authenticate, I get an entry in the failed authentications log, with a reason of internal error. I also see an error message in the Windows event log stating that "an error occurred during logon"
I'm assuming that we have some sort of permissions issue here, and a brief conversation with a colleague who works on the Microsoft side of things indicated that machine accounts for Domain Controllers are different to other accounts, but he wasn't able to add much.
The ACS remote agent is running on a domain controller (not the one we're trying to authenticate) and uses a service account which is a member of the domain admins group so there shouldn't be any problem there.
ACS SE version is 4.1, servers are all Windows 2003R2 with SP2
I'm wondering anyone else has seen a similar problem using ACS and what the resolution was.
We're only authenticating some domain controllers against AD. The domain controller which runs the ACS Remote Agent is not on a switch port requiring authentication.
As mentioned, everything is working fine, except for authentication of the domain controllers. Member servers, and users all authenticate to AD without problems. We've even demoted a domain controller to member server and had it work fine, then fail again when we promoted the member server back to domain controller so I'm pretty sure that there is some issue with domain controller machine accounts.
We originally tried running the ACS Remote Agent using a local account. Behavior was the same as when we use a service account.
Then it seems to be due to incompatibility. Now you will say when it work for normal user and machines why is the issue seen when promoted to domain controller. Well there is huge difference in security settings of a regular machine and of domain controller.
You need to upgrade ACS to 4.2 and that should fix this issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...