Security

Reply
Highlighted
Occasional Contributor II

CPPM & NTLM error

Hello,

 

I had a customer deployment for CPPM (WLAN) back in Febryary that was working like a charm (AD is Windows Server 2016).

Recently I went back for wired discussion and found out that nothing was working, every user failed authentication.

 

The error seen while debugging logs with Aruba TAC was "Maybe the DC has Restrict NTLM set or the trust account password was changed and we did't know. Killing connections to domain XYZ."

 

I found out that the AD had been updated a few times since February..!!

 

There is no issue with (all have been checked):

  • NTP/clock syncing
  • service account to bind/password not expire set (lookup is successful from auth source)
  • user to join domain is part of domain admins (domain join is successful)
  • No NTLM configuration was seen at customer's AD

What is more interesting, when joining CPPM to an older DC that the customer had (no recent updates, on Win 2012) - everything started working again!!


Is there something in Win 2016 updates that "break" that CPPM connection?

Has anyone noticed this error? 

 

I'm trying to find the updates that were applied and dig deeper in MS documentation and research on this. 

Guru Elite

Re: CPPM

What version of CPPM?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: CPPM

Initially was 6.7.9. 

Then I upgraded them to 6.8.0 in an effort to rectify, same result.

 

It definitely looks like a MS update played a part, but I'm surprised that it's not an error you find much information on.

MVP Guru

Re: CPPM

What sometimes happens is that the computer account that is created during the domain join of ClearPass is deleted, moved or changed by AD admins or automated processes.

 

Have you checked if the join is still valid? You can via the command-line. Log in as appadmin to your ClearPass then run the AD testjoin command:

[appadmin@cppm-nl]# ad testjoin

ERROR - Insufficient arguments to proceed

Usage:
    testjoin <domain NETBIOS name>

[appadmin@cppm-nl]# ad testjoin NL
Join is OK

This computer account is independent of the account that you used to join ClearPass to your domain. If there are issues with the domain join, leave the domain then join again.

 

If that doesn't work, can you share what is the error message that you see in Access Tracker?

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: CPPM

Yes, left and rejoined the domain multiple times, all successful joins but the error always persistent, when it comes to authenticating users.

 

The testjoin is successful as well from the CLI.

 

The error seen on the access tracker is "error code 216", which is explained here (not helpful though in this case): https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Error-Codes/ta-p/260799

 

I've attached a picture (sorry for the poor quality but the customer captured this) which is basically the error, as seen in debug logs from the samba file, on the CLI.

The actual error reads:

sam_logon returned ACCESS_DENIED. Maybe the DC has Restrict NTLM set or the trust account password was changed and we didn't know it. Killing connections to domain XYZ.

MVP Guru

Re: CPPM

Could it be that the customer 'hardened' the AD and disabled NTLM? I found this page that describes how you can do that. The message should be different, NTLM Blocked, according to that page.

 

Please work with Aruba TAC to get this further investigated.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: CPPM

I had them check any GPOs they might have for NTLM related settings, all seemed to be "not defined".

 

I had aso checked that link, thank you.

 

Working with Aruba TAC we found out that error, but since it was resolved when using an older DC, it seemed that Aruba was pointing to AD (which is most likely valid) and kind of "stepping away".

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: