We had our CIMCs configured to use encrypted AD authentication and until we began to update the domain controllers to Server 2012, everything worked fine. Since the 2012 DCs have been introduced, encrypted authentication no longer works. The message "Login failed. Verify that your username and password are correct." is displayed.
The following is found in the CIMC log:
pam_ldap_manager(webgui:account): Can't contact LDAP server, error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol: Please check the correct Certificate Authority (CA) certificate has been uploaded to AVCT. Please also check if the AVCT date is within the valid period of the certificates and the Domain Controller Address configured in AVCT matches the subject of the directory server certificate: firstname.lastname@example.org, host=xxx.xxx.xxx.xxx
This is repeated for each configured DC in the Active Directory Properties tab. Changing the configuration to a 2008R2 DC allows for a successful authentication.
Interestingly, SSH connections are still able to authenicate using AD accounts.
Testing has been done primarliy on a UCS C260M2 (C222.214.171.124.0), CIMC ver 1.5(1b), AD Domain / Forest functional leve - Windows Server 2008R2, Domain Controllers - Windows Server 2012 Enterprise (Core)
Does anyone have any suggestions on how to get encrypted authenication working against Server 2012 DCs?
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...