CPPM management user authentication against AD fails: No trusted SAM Account (0xc00018b)
Question : I see the below error when trying management authentication on CPPM.
ERROR: Raduis Server.Radius - rlm_mschap: AD status: No trusted SAM Account (0xc00018b)
ERROR: Raduis Server.Radius - rlm_mschap: Failed : MS-CHAP2-Response is incorrect
Symptoms : This issue may occur when a the AD server is restarted. The Restart may be planned or due to an outage.
Cause : This error is seen when any changes are made on the Domain controller. Once the change is made, the PID ( on the Domain controller) changes and the same is not updated automatically on CPPM.
This issue is seen on versions prior to CPPM 6.1.4 and must not be seen on CPPM 6.1.4 , 6.2.0 and later versions.
CPPM must be on version 6.1.4 or 6.2.0 or later versions for this feature to work.
Resolution : We can follow the below steps to fix this.
Navigate to "Administration » Server Manager » Server Configuration" on CPPM and restart the Domain service.
If the above steps does not help, we will have to force CPPM to leave the domain and rejoin it.
If we have two Active Directories mapped to the same domain controller we can configure CPPM to send the authentication request to the other AD if it fails on first.
When joining cppm to an AD domain for mschap authentication, we have to use the name of a domain controller, not just the domain, such as server1.domain.xxx.edu. (If we use domain.xxx.edu, joining fails.) The load-balancing, failover, and server selection behavior is:
a) When CPPM is joined to a domain (by specifying a particular domain controller), it pulls SRV records and discovers all the available domain controllers.
b) CPPM connects to the domain controller specified during domain join to do MSCHAPv2 authentications. If this domain controller is not available, it will try to connect to one of the remaining domain controllers.
Example: We have two Active Directories, one for PST timezone and other for EST time zone. Say the PST zone AD was restarted or some changes were made to it, and authentication starts failing. Under this condition, we can configure CPPM to forward the authentication request to the EST AD server.
This can be achieved by running the below command from the CLI of CPPM after logging in as Appadmin.
# ad passwd-server
we can use this with the following arguments.
[appadmin@Aruba_CPPM_6.2]# ad passwd-server
set Set the password servers
list List the configured password servers
reset Reset the password servers
How to list the passwd-servers?
[appadmin@Aruba_CPPM_6.2]# ad passwd-server list -n <Domain Name>
[appadmin@Aruba_CPPM_6.2]# ad passwd-server list -n CLEARPASS
Printing the list of password servers
How do i add a new password server?
[appadmin@Aruba_CPPM_6.2]# ad passwd-server set -n <Domain Name> -s <Server Name>
[appadmin@Aruba_CPPM_6.2]# ad passwd-server set -n CLEARPASS -s server
Stopping cpass-domain-server_CLEARPASS: [ OK ]
Starting cpass-domain-server_CLEARPASS: [ OK ]
Related Links : Please refer to below article which explains about how to add CPPM to a domain