03-04-2016 10:18 AM
I have 2 clearpass servers 6.5.5 and ms windows 2012 domain controllers. Everything was working fine until i joined a second domain controller into the network and now none of my users can authenticate. I've removed both clearpass servers from the domain and rejoined them (multiple times), multiple reboots as both members and nonmembers of the domain, time is sync'd on all parties, cli command "ad testjoin" comes back ok on both clearpass servers but every time a user tries to authenticate to AD i get the error message "nt_status_access_denied: (0xc0000022)" . I can browse the base dn in my authentication source on both servers on both primary and backup DC auth sources. Googling my error message comes back with samba share junk. I have no idea what broke or how to fix it. Any help or ideas would be great. Thanks!
03-05-2016 05:11 AM
Just a thing
Check if you still have the valid peap certificate on the secondary Domain controller.
Also do u have a wlc from where u can do aaa test user and u can get the even viewer logs to check it out in case it is a certificate issue.
03-06-2016 12:52 PM
I've ran a aaa test user from a controller and get the same error on clearpass. I've also removed all reference to the second dc from clearpass and only used the original dc, same results.
Also during troubleshooting I stood up a brand new clearpass vm, left it as its own publisher, joined it into the domain and immediately got the same authentication failure results, so I'm confident that this is a MS issue.
03-06-2016 12:58 PM
It is possible that the user you are testing with only has rights to login from a limited set of computers? This has nothing to do with the PEAP certificate on the ClearPass server, by the way...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
03-08-2016 01:49 PM
I'm using my domain admin account for auth testing, and the clearpass bind account is a service account that was created specfically for cleearpass, also has domain admin privilages. There are no restrictions on "logon to" options inside the user accounts in AD. Anyone a airheads want to sit down and show me where I'm screwed up?? =D
07-21-2016 01:49 PM
I'm having this exact same issue. I upgraded to 6.6.1 and joined 2 subscribers to my publisher and now I can not do MS-CHAPv2. Regular RADIUS and TACACS+ work fine, but any MS-CHAPv2 based service is hosed. Did you ever find a solution?