Security

Reply
Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022"

Hello,

I have 2 clearpass servers 6.5.5 and ms windows 2012 domain controllers. Everything was working fine until i joined a second domain controller into the network and now none of my users can authenticate. I've removed both clearpass servers from the domain and rejoined them (multiple times), multiple reboots as both members and nonmembers of the domain, time is sync'd on all parties, cli command "ad testjoin" comes back ok on both clearpass servers but every time a user tries to authenticate to AD i get the error message "nt_status_access_denied: (0xc0000022)" . I can browse the base dn in my authentication source on both servers on both primary and backup DC auth sources. Googling my error message comes back with samba share junk. I have no idea what broke or how to fix it. Any help or ideas would be great. Thanks!

New Contributor
Posts: 1
Registered: ‎10-19-2014

Re: Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022&

Just a thing

 

Check if you still have the valid peap certificate on the secondary Domain controller.

 

Also do u have a wlc from where u can do aaa test user and u can get the even viewer logs to check it out in case it is a certificate issue.

Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

Re: Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022&

I've ran a aaa test user from a controller and get the same error on clearpass. I've also removed all reference to the second dc from clearpass and only used the original dc, same results.

 

Also during troubleshooting I stood up a brand new clearpass vm, left it as its own publisher, joined it into the domain and immediately got the same authentication failure results, so I'm confident that this is a MS issue.

Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Re: Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022&

It is possible that the user you are testing with only has rights to login from a limited set of computers?  This has nothing to do with the PEAP certificate on the ClearPass server, by the way...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

Re: Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022&

Colin,

I'm using my domain admin account for auth testing, and the clearpass bind account is a service account that was created specfically for cleearpass, also has domain admin privilages. There are no restrictions on "logon to" options inside the user accounts in AD. Anyone a airheads want to sit down and show me where I'm screwed up?? =D

New Contributor
Posts: 1
Registered: ‎01-27-2015

Re: Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022&

Was wondering if you ever figured this out.

Contributor II
Posts: 54
Registered: ‎09-27-2012

Re: Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022&

I'm having this exact same issue.  I upgraded to 6.6.1 and joined 2 subscribers to my publisher and now I can not do MS-CHAPv2.  Regular RADIUS and TACACS+ work fine, but any MS-CHAPv2 based service is hosed.  Did you ever find a solution?

Solutions Engineer
CWNA-CWDP-ACMP-ACCP
iva
New Contributor
Posts: 4
Registered: ‎10-18-2016

Re: Clearpass: Joined a new MS AD DC and now getting error "nt_status_access_denied 0xc0000022&

I am having a similar issue on CPPM 6.6.1.84176 I am getting the error below when trying to log on to our domain directly from CPPM. The AD connection seems to be OK though, since I am able to read/list the AD objects through the GUI. 

 

[appadmin@cppm]# ad auth -u USER -n DOMAIN
password:
ERROR - NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)
[appadmin@cppm]#

Search Airheads
Showing results for 
Search instead for 
Did you mean: