Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

This thread has been viewed 0 times

  • 1.  MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

    Posted Jun 02, 2016 03:46 AM

    Added the recent BADLOCK patch on CP 6.6 yesterday to a customer solution, and that stopped his EAP-PEAP authentications from going through - since it seems the AD trust was broken. We are now unable to re-join the domain.

     

    INFO - Using Administrator as the ****'s username Enter Administrator's password:
    Failed to join domain: failed to lookup DC info for domain '***.INT'
    over rpc: Access denied

     

    Working with Aruba TAC to solve this, but it's not a good situation to be in.. Google tells us that other have the same problems after applying the BADLOCK patch to their linux systems.

     

    So - halt your patching until this is worked out.. Has anyone else done this with success??



  • 2.  RE: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

    Posted Jun 02, 2016 03:54 AM
    Doesn't sound good! Will test it out in my lab and post back.


    #AirheadsMobile


  • 3.  RE: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

    Posted Jun 02, 2016 04:37 AM

    I patched my CPPM and it appears to be fine. EAP-PEAP auths are working ok too. Am able to browse AD from the LDAP browser. No problems here.



  • 4.  RE: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0
    Best Answer

    Posted Jun 02, 2016 05:17 AM

    Seems customer had disabled a couple of profiles in AD that caused this to happen:

     

    Microsoft Network Server: Digitally Sign Communications (Always)
    Microsoft Network Server: Digitally Sign Communications (If Client Agrees)

     

    I'm guessing this was disabled after joining Domain the first time, and as a result the trust wasn't re-established after the hotfix was applied.. Once these was enabled again we could re-join Domain and all was well.

     

    Solved - thanks Aruba TAC!



  • 5.  RE: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

    EMPLOYEE
    Posted Jun 02, 2016 05:39 AM

    jsolb,

     

    Which profiles?

     



  • 6.  RE: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

    Posted Jun 02, 2016 06:47 AM

    Customer says they disabled these 7-8 years back to allow Mac's onto their domain..

     

    Microsoft Network Server: Digitally Sign Communications (Always)
    Microsoft Network Server: Digitally Sign Communications (If Client Agrees)

     

    Seems that now they are required. Pretty sure I haven't seen that documented in the "Clearpass failed to join Domain" thread ;)



  • 7.  RE: MSCHAPv2 failing - unable to re-join AD after BADLOCK hotfix 6.6.0

    Posted Dec 19, 2016 12:31 AM

    Ran into the same issue after upgrading to 6.5.7. Solution was to add "client ipc signing = auto "  line in "smb.conf" file using Aruba support account. 

    For more info: https://www.samba.org/samba/security/CVE-2016-2115.html

     

    Kudos to TAC.