Problem:
Dot1x Auth failing with the error "Access_Denied" even when the CPPM Server is joined to AD Domain
For example : We have taken 2 standalone server in this case, we can see the same behavior even in the cluster
Standalone Server 1 : Hostname --> JohnsonServer.A Standalone Server 2 : Hostname --> JohnsonServer.B
Both the CPPM Servers are joined to the same AD Domain ( NSLAB.com )
When you join the first CPPM server to the AD domain, we can see the Machine Account created in the Active Directory Domain as "JohnsonServer" and not "JohnsonServer.A"
Similarly, When you join the second CPPM server to the AD domain, we can see the Machine Account created in the Active Directory Domain as "JohnsonServer" and not "JohnsonServer.B"
When the second CPPM Server was joined to the Domain, DC had removed/overwritten the first Machine Account, considering it as a duplicate. Therefore, only one the latest CPPM Server joined to the domain was able to associate itself and authenticate the users successfully.
The first CPPM Server joined to the Domain would start failing the Dot1x authentication for the users with the alert in the access tracker as "ACCESS DENIED"
This seems to be a limitation/behavior in AD, that it is not able to read/write the hostname ( after the period symbol) when creating the MACHINE ACCOUNT in the AD Domain.
Anything in the CPPM Server Hostname after “.” is not taken into account when a machine account is created in AD Domain when the CPPM Server is joined to the Domain.
We will have to change the hostname of any one the CPPM server so that AD Domain does not remove/overwrite the already existing Computer Account created and then Join the server to the AD Domain again AND confirm both the "Machine Accounts" are present in the AD Computers.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.