Hello
For several weeks i've been fighting with this problem.
I need to set up UAM authentication with Microsoft AD. Client PC is part of lab domain and thus uses domain certificate without iNode client (the way our customer would like it to be). That means EAP-PEAP with MSCHAPv2
In my lab i have one ProCurve 2824 switch and several virtual servers - one of which runs iMC with UAM, another has AD DC and third is certificate server. I have set up whole structure, imported certificates into iMC etc.
iMC and UAM version is the latest:
Intelligent Management Platform (JF378A) iMC PLAT 5.1 SP1 (E0202P05)
User Access Manager (JF388A) iMC UAM 5.1 SP1 (E0301H04)
Unfortunately client authentication fails, in switch traffic capture i see UAM asking switch for MD5 authentication which is immideately refected by windows who wants MSCHAPv2.
in the mschapv2server log file i see the following:
[Feb 19, 2013 11:43:16 AM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is uam.imc.lab
[Feb 19, 2013 11:43:16 AM][Trace]: MSChapAuthServer():addInistialRequestMessage(): tunnel active packet: 00000000h: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 04 ;................
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000020h: 01 06 74 65 73 74 02 0D 75 61 6D 2E 69 6D 63 2E ;..test..uam.imc.
00000030h: 6C 61 62 03 0A 68 E1 09 F0 F4 0C A7 2A 04 1A 9C ;lab..h......*...
00000040h: 58 28 CE 59 9D 67 80 3B D1 9E 9C 0D 1E 72 6F 26 ;X(.Y.g.;.....ro&
00000050h: 1D 0F 79 01 B1 E1 4D ;..y...M
[Feb 19, 2013 11:43:16 AM][Debug]: Trigger one authentication request as parameters refreshed.
[2013-02-19 11:43:16.494] [Debug] [HashMapForCache::cleanMap]Find expired object...
[2013-02-19 11:43:16.547] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(LVLABIMC2.UAM.IMC.LAB/TESTACCOUNT)
[2013-02-19 11:43:16.564] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.32.12.29[\PIPE\NETLOGON] with identity uam.imc.lab\testAccount$
[2013-02-19 11:43:16.967] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2013-02-19 11:43:16.990] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2013-02-19 11:43:16.991] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2013-02-19 11:43:17.0] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {UAM.IMC.LAB={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, ~={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, UAM={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}}
[2013-02-19 11:43:17.19] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[Feb 19, 2013 11:43:17 AM][Trace]: The authentication error msg: The account is not found: uam.imc.lab\test, and error code: 4
[2013-02-19 11:43:17.388] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The account is not found: uam.imc.lab\test>
mscv2js.c.d: The account is not found: uam.imc.lab\test
at mscv2js.b.a.a(Unknown Source)
at mscv2js.b.b.b(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)
[Feb 19, 2013 11:43:17 AM][Trace]: The mschapv2 authentication user msg:The account is not existed on DC.
<java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
at java.net.PlainDatagramSocketImpl.send(Native Method)
at java.net.DatagramSocket.send(DatagramSocket.java:625)
at mscv2js.server.g.a(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)
I have done all installation and configuration according to manuals. EAP-PEAP assisted DC authentication is set up. In the log one can see that UAM asks DC for virtual computer (which i left default), which passes. Then, out from nowhere comes this "test" account which is no way present in iMC. I suspect this is the reason why authentication fails and UAM reverts to MD5.
I created "test" user on DC, but since i have no idea what password should be it still fails.
Can anyone please point me what i am doing wrong?
Thanks in advance!
Marcis
#Certificates#MSCHAPv2#uam#ActiveDirectory#imc#EAP-PEAP