Security

Reply
MVP

MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

Added the recent BADLOCK patch on CP 6.6 yesterday to a customer solution, and that stopped his EAP-PEAP authentications from going through - since it seems the AD trust was broken. We are now unable to re-join the domain.

 

INFO - Using Administrator as the ****'s username Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain '***.INT'
over rpc: Access denied

 

Working with Aruba TAC to solve this, but it's not a good situation to be in.. Google tells us that other have the same problems after applying the BADLOCK patch to their linux systems.

 

So - halt your patching until this is worked out.. Has anyone else done this with success??


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!

Re: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

Doesn't sound good! Will test it out in my lab and post back.


#AirheadsMobile
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted

Re: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

I patched my CPPM and it appears to be fine. EAP-PEAP auths are working ok too. Am able to browse AD from the LDAP browser. No problems here.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP

Re: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

Seems customer had disabled a couple of profiles in AD that caused this to happen:

 

Microsoft Network Server: Digitally Sign Communications (Always)
Microsoft Network Server: Digitally Sign Communications (If Client Agrees)

 

I'm guessing this was disabled after joining Domain the first time, and as a result the trust wasn't re-established after the hotfix was applied.. Once these was enabled again we could re-join Domain and all was well.

 

Solved - thanks Aruba TAC!


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite

Re: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

jsolb,

 

Which profiles?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

Customer says they disabled these 7-8 years back to allow Mac's onto their domain..

 

Microsoft Network Server: Digitally Sign Communications (Always)
Microsoft Network Server: Digitally Sign Communications (If Client Agrees)

 

Seems that now they are required. Pretty sure I haven't seen that documented in the "Clearpass failed to join Domain" thread ;)


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor II

Re: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

Ran into the same issue after upgrading to 6.5.7. Solution was to add "client ipc signing = auto "  line in "smb.conf" file using Aruba support account. 

For more info: https://www.samba.org/samba/security/CVE-2016-2115.html

 

Kudos to TAC.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: