Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Windows using domain\machinename$ during Computer Authentication

  • 1.  Windows using domain\machinename$ during Computer Authentication

    Posted Feb 03, 2017 01:49 AM

    Hello!

     

    I'm in a situation I've not seen before, but I'm sure someone else has so I'm hoping for some insight from the crowd here.

    Working on a standard 802.1x setup using Clearpass with Windows 10 computers, and I setup the clients with Authentication mode: "User or computer authentication".

     

    So normally I see host/fqdn when Windows Computers do their Computer Authentication, but in this case it's sending domain\machinename$. This results in a Reject from AD and a failed [Machine Authentication].

     

    If I set the auth mode to only "Computer authentication" it always sends host/fqdn and all is well.

     

    Customer says that in the previous 802.1x they tried several years ago, they had the same problem. That was with the same AD/GPO's etc, but Win 7 clients.

     

    So - anyone else had this problem and found a way to fix this?



  • 2.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Feb 03, 2017 05:34 AM

    Hi John,

    I've seen this before when using EAP-TLS for authentication. What are you using?

     

    EDIT: Ahhh nevermind, probably EAP-PEAP as you're doing user and computer. 



  • 3.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Feb 03, 2017 05:38 AM
    Hi James

    Well - the client is setup to do EAP-PEAP and that is whats listed in access tracker as method. I'm using a service that accepts both eap-tls with ocsp and eap-peap.

    .. John-Egil Solberg
    @ a mobile device


  • 4.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Feb 08, 2017 07:25 AM

    *bump*

     

    So is it my topic headline that is not catchy enough, or has none of all the thousands here seen anything other than host/computer.fqdn during "computer authentication"?

     

    That said - I've read a ton of papers and documentation and I'm unable to reproduce the issue in my lab. 

     

    domain\machinname$ is only used when the computer is setup with EAP-PEAP and authentication method = "user or computer authentication". In "Computer authentication" auth mode the correct host/machinname.fqdn is used and authentication works correctly.



  • 5.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Jun 26, 2017 08:13 PM
    @jsolb wrote:

    *bump*

     

    So is it my topic headline that is not catchy enough, or has none of all the thousands here seen anything other than host/computer.fqdn during "computer authentication"?

     

    That said - I've read a ton of papers and documentation and I'm unable to reproduce the issue in my lab. 

     

    domain\machinname$ is only used when the computer is setup with EAP-PEAP and authentication method = "user or computer authentication". In "Computer authentication" auth mode the correct host/machinname.fqdn is used and authentication works correctly.

    Hi John,

    Not sure if you're still chasing this problem. We just started doing machine authentication for a small building and are running into this problem now today for some individuals. Something that stuck in my mind shortly towards end of my shift - what build number of Windows 10 were you running into - and did it differ from you lab setup - I saw this on Version 1607 [Build 14393] (My recently updated work and test laptop) and Version 1703 [Build 15063] (affected population version ran in to) - and I hope to have the original version I tested this again shortly Version 1511 [Build 10586] - where I didn't have this problem - Enterprise Version Info - https://technet.microsoft.com/en-us/windows/release-info.aspx



  • 6.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Jun 26, 2017 08:19 PM

    Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS?

    Is the device configured for user, computer or computer + user?

    Are you using the native Windows supplicant?



  • 7.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Jun 26, 2017 08:22 PM

    Hi Tim,

    Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS? PEAPv0/EAP-MSCHAPv2

    Is the device configured for user, computer or computer + user? computer + user

    Are you using the native Windows supplicant? Yes



  • 8.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Jun 26, 2017 08:25 PM

    @cbjohns wrote:

    Hi Tim,

    Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS? PEAPv0/EAP-MSCHAPv2

    Is the device configured for user, computer or computer + user? computer + user

    Are you using the native Windows supplicant? Yes


    Almost forgot one more important detail. The machine passes authentication with "host/FQDN" - and then almost immediately fails with "domain\machinename$" - so this could be a separate issue from OPs.



  • 9.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Jun 28, 2017 10:31 AM

    Made some progress (ruled out Windows 10 versions) and happened to find a recent Aruba KB about this behavior - https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Machine-authentication-fails-when-ssid-profile-pushed-via-GPO/ta-p/290978 - not sure what causes it though and why for some clients. Still trying to do more analysis.



  • 10.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Jul 05, 2017 06:57 PM

    Made some further progress. I was wondering if anyone could try replicating the issue I experienced in Windows 10 Version 1703 with an SSID (802.1x - PEAP-MSCHAPv2) deployed via GPO. In previous versions of Windows 10 - the OS will NOT and SHOULD not allow the creation of duplicate SSID Profiles. Feel free to PM if willing to test - I almost disregarded one person as not having the issue - till I realized a sneaky behavior that masked the issue.

     

    In Version 1703 - the OS is allowing two profiles of the same name to be configured (The Original GPO "Added by Company Policy") and then a user-defined one (either through "Add a new network" - or possibly a by-product of an in-place upgrade) - testing this tomorrow. I suspect if one GPO is (User or Computer Authentication) and the other is (Computer Authentication Only or vice-versa) it's causing the client to machine authenticate as "host/FQDN" followed by immediate failure attempt of "Domain\MachineName$" - based on the various authentication methods if I'm been testing.



  • 11.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Aug 29, 2017 06:04 PM

    In case anyone else is still following this topic - additional behavior I've noticed with Windows 8.1/10 and the format of the computer authentication.

     

    This is specific to profile set as "User or computer authentication" with native Windows Supplicant on a 802.1x WPA2Enterprise - PEAP-MSCHAPv2 SSID. If a user interactively brings up the Wi-Fi taskbar on the logon screen, selects the corporate ssid, and clicks "Connect" manually - then the laptop will attempt to authentcate as "Domain\MachineName$". If the Wi-Fi is "toggled" or it attempts to automatically connect (connect automatically setting) without user-interaction of the "Connect" button - the laptop will attempt to authenticate as "host\FQDN-MachineName".



  • 12.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Nov 13, 2018 03:29 PM

    I am having the same problem. Did you ever find a solution?



  • 13.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Nov 14, 2018 05:01 PM

    @brettmwill wrote:

    I am having the same problem. Did you ever find a solution?


    If referring to me. I unfortunately was not able to find the solution. I've been meaning to finally sit down and open a ticket with Microsoft concerning this behavior. I had a lengthy discussion on the TechNet forums whom agreed the "samAccountName" is only for legacy purposes. They informed me last year that in their test lab they couldn't reproduce the specific behavior I was reproducing. I'm hoping to get some time once our third engineer returns and open a ticket with Microsoft -> which bore fruit last time concerning the "Duplicate Profile" issue I discovered last year.

     

    https://social.technet.microsoft.com/Forums/en-US/da7c5e3d-b974-4f95-852e-09f7333cfa1c/retriggering-computer-authentication-without-restart?forum=win10itpronetworking



  • 14.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Nov 22, 2018 03:40 AM

    We're facing the same problem.

     

    We're using Windows 10 versions 1709 and 1803. I configured the wireless network profile manually, so no GPOs were involved.

    We use EAP-TTLS with EAP-MsChapV2 and windows logon credentials.

    The reason we use EAP-TTLS is because we need to use a specific realm in the outer identity and this can't be configured in EAP-PEAP.

     

    The settings we used are as follows:

    In the Security tab:

    WPA2-Enterprise, AES, Microsoft: EAP-TTLS, tagged remember my credentials

    EAP-TTLS Settings:

    tagged enable identity privacy: anonymous@realm.tld, connect to these servers: radius.domain.tld, tagged only the correct CA, untagged don't prompt user, Eap method for authentication: EAP-MSCHAP v2.

    EAP MSCHAPv2 properties:

    tagged automatically use my windows logon name

    Advanced Security settings:

    tagged specify authentication mode: User or computer authentication, untagged delete credentials, tagged enable single sign on, selected after user logon, maximum delay: 10 seconds, tagged allow dialogs, tagged this network uses separate vlans

     

    We reproduced the problem as follows:

    - turn on the computer and it will succesfully authenticate as host/computer.fqdn

    - log on as user and domain\user will succesfully authenticate

    - disconnect the wireless network and log out from the computer

    - at the logon screen connect to the wireless network again.

    - It will now unsuccesfully try to authenticate as domain\computername$.

     

    We haven't found a solution as of yet, but are keen to find one.



  • 15.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Nov 22, 2018 05:00 AM

    An update:

    All you need to do to recreate the problem is go to the log on screen.

    If the windows 10 client automatically connects it will use host/machine.fqdn.

    If you connect the client manually it will use domain\machinename$ .

     



  • 16.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Dec 19, 2018 01:23 PM

    Same here.

    We deployed both wired and wireless profiles via GPO, with the same settings. Wired always uses host/fqdn, manual wireless connection at the logon screen always fails because of netbiosname\hostname$ fails to authenticate. Exactly as described above.

    All computers are Windows 10 up to date.

     

    Anybody had luck with Microsoft support tickets? As pushing the registry value of the servicePrincipalName (as described in here) via GPO s quite challenging.

     



  • 17.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Dec 20, 2018 03:30 AM
    Well you could set the value of szName in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 with a GPO to the servicePrincipalName with something like host/%COMPUTERNAME%.%USERDOMAIN% , but the problem is that the value is overwritten before it can be used to manually authenticate to the SSID.


  • 18.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Feb 19, 2019 11:24 AM

    Taking another crack at this again at TechNet finally. I'm curious what the difference is between their lab environment, the original posters, and everyone elses is. Since TechNet and OP couldn't reproduce this problem in their environment, but several other folks are.



  • 19.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Apr 03, 2019 05:11 PM

    Has anyone found a solution to this yet? Currently running into the same situation in my environment. Been searching the web trying to solve it myself before having to call support...



  • 20.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Apr 04, 2019 02:52 AM

    I haven't found a solution yet. I also found out that "Wired AutoConfig" 802.1x authentication reacts in the same way, so it's not only the wireless stack that suffers from this issue.



  • 21.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Apr 16, 2019 03:41 PM
    Starting the process to open a ticket with Microsoft today. Hopefully worth the time and get some answers. :-)


  • 22.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Apr 18, 2019 02:02 PM

    Microsoft Support confirmed what they saw in the netsh tracing of the samAccountName - and inquired about the "registry modification" that was referenced - although I changed it - reverted back (waiting to hear back from them now). In the meantime, looking back over everything with fresh set of eyes of my authentication failures. In regards to EAP-PEAP-MSCHAPv2 - What does it mean in ClearPass when the challenge computation doesn't have a "username referenced" (is clearpass generating a challenge incorrectly or an error with how client supplied the user-name in the tunnel?) - even though a user was located? Note - a domain was referenced correctly.

     

    username.PNG



  • 23.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Sep 25, 2019 09:25 AM
    Hello,
    did anyone find a solution for this issue?
    Facing absolutely the same problem at a customer.

    Kind regards
    Timo


  • 24.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Sep 25, 2019 10:12 AM

    Never solved, but not actually a problem.

    It happens only when you manually connect to network at the login screen. However, if single-sing on is enabled before user login, with "User or computer authentication", computer authentication is porcessed successfully immediately when the user attempts logging in.



  • 25.  RE: Windows using domain\machinename$ during Computer Authentication

    Posted Sep 27, 2019 08:14 AM
    DOMAIN\Computername$ is still being used by Windows 10 build 1903 if you connect manually with machine authentication.