AAA, NAC, Guest Access & BYOD

CPPM management user authentication against AD fails: No trusted SAM Account (0xc00018b)

by on ‎07-14-2014 01:27 AM

Question : I see the below error when trying management authentication on CPPM.
ERROR: Raduis Server.Radius - rlm_mschap: AD status: No trusted SAM Account (0xc00018b)
ERROR: Raduis Server.Radius - rlm_mschap: Failed : MS-CHAP2-Response is incorrect


Symptoms : This issue may occur when a the AD server is restarted. The Restart may be planned or due to an outage.


Cause : This error is seen when any changes are made on the Domain controller. Once the change is made, the PID ( on the Domain controller) changes and the same is not updated automatically on CPPM.

This issue is seen on versions prior to CPPM 6.1.4 and must not be seen on CPPM 6.1.4 , 6.2.0 and later versions.

CPPM must be on version 6.1.4 or 6.2.0 or later versions for this feature to work.


Resolution : We can follow  the below steps to fix this.

Navigate to "Administration » Server Manager » Server Configuration" on CPPM and restart the Domain service.

User-added image

If the above steps does not help, we will have to force CPPM to leave the domain and rejoin it.

User-added image

If we have two Active Directories mapped to the same domain controller we can configure CPPM to send the authentication request to the other AD if it fails on first.

When joining cppm to an AD domain for mschap authentication, we have to use the name of a domain controller, not just the domain, such as (If we use, joining fails.) The load-balancing, failover, and server selection behavior is:

a) When CPPM is joined to a domain (by specifying a particular domain controller), it pulls SRV records and discovers all the available domain controllers.

b) CPPM connects to the domain controller specified during domain join to do MSCHAPv2 authentications. If this domain controller is not available, it will try to connect to one of the remaining domain controllers.

Example: We have two Active Directories, one for PST timezone and other for EST time zone. Say the PST zone AD was restarted or some changes were made to it, and authentication starts failing. Under this condition, we can configure CPPM to forward the authentication request to the EST AD server.

This can be achieved by running the below command from the CLI of CPPM after logging in as Appadmin.

# ad passwd-server

we can use this with the following arguments.

[appadmin@Aruba_CPPM_6.2]# ad passwd-server

 set                     Set the password servers
 list                    List the configured password servers
 reset                   Reset the password servers

How to list the passwd-servers?

[appadmin@Aruba_CPPM_6.2]# ad passwd-server list -n <Domain Name>

[appadmin@Aruba_CPPM_6.2]# ad passwd-server list -n CLEARPASS
  Printing the list of password servers

How do i add a new password server?

[appadmin@Aruba_CPPM_6.2]# ad passwd-server set -n <Domain Name>  -s <Server Name>

[appadmin@Aruba_CPPM_6.2]# ad passwd-server set -n CLEARPASS -s server
Stopping cpass-domain-server_CLEARPASS:                    [  OK  ]
Starting cpass-domain-server_CLEARPASS:                    [  OK  ]

Related Links : Please refer to below article which explains about how to add CPPM to a domain

i have version 6.3.5 and i get this error. the above pictures are not displayed

Worked with Simon over a web session and resolved the issue by rejoining the domain.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.