Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM & NTLM error

This thread has been viewed 7 times

  • 1.  CPPM & NTLM error

    Posted Apr 22, 2019 12:03 PM

    Hello,

     

    I had a customer deployment for CPPM (WLAN) back in Febryary that was working like a charm (AD is Windows Server 2016).

    Recently I went back for wired discussion and found out that nothing was working, every user failed authentication.

     

    The error seen while debugging logs with Aruba TAC was "Maybe the DC has Restrict NTLM set or the trust account password was changed and we did't know. Killing connections to domain XYZ."

     

    I found out that the AD had been updated a few times since February..!!

     

    There is no issue with (all have been checked):

    • NTP/clock syncing
    • service account to bind/password not expire set (lookup is successful from auth source)
    • user to join domain is part of domain admins (domain join is successful)
    • No NTLM configuration was seen at customer's AD

    What is more interesting, when joining CPPM to an older DC that the customer had (no recent updates, on Win 2012) - everything started working again!!


    Is there something in Win 2016 updates that "break" that CPPM connection?

    Has anyone noticed this error? 

     

    I'm trying to find the updates that were applied and dig deeper in MS documentation and research on this. 



  • 2.  RE: CPPM & NTLM error

    EMPLOYEE
    Posted Apr 22, 2019 12:26 PM
    What version of CPPM?


  • 3.  RE: CPPM & NTLM error

    Posted Apr 22, 2019 01:11 PM

    Initially was 6.7.9. 

    Then I upgraded them to 6.8.0 in an effort to rectify, same result.

     

    It definitely looks like a MS update played a part, but I'm surprised that it's not an error you find much information on.



  • 4.  RE: CPPM & NTLM error

    EMPLOYEE
    Posted Apr 23, 2019 03:37 AM

    What sometimes happens is that the computer account that is created during the domain join of ClearPass is deleted, moved or changed by AD admins or automated processes.

     

    Have you checked if the join is still valid? You can via the command-line. Log in as appadmin to your ClearPass then run the AD testjoin command:

    [appadmin@cppm-nl]# ad testjoin

ERROR - Insufficient arguments to proceed

Usage:
    testjoin <domain NETBIOS name>

[appadmin@cppm-nl]# ad testjoin NL
Join is OK

    This computer account is independent of the account that you used to join ClearPass to your domain. If there are issues with the domain join, leave the domain then join again.

     

    If that doesn't work, can you share what is the error message that you see in Access Tracker?



  • 5.  RE: CPPM & NTLM error

    Posted Apr 23, 2019 08:50 AM
      |   view attached

    Yes, left and rejoined the domain multiple times, all successful joins but the error always persistent, when it comes to authenticating users.

     

    The testjoin is successful as well from the CLI.

     

    The error seen on the access tracker is "error code 216", which is explained here (not helpful though in this case): https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Error-Codes/ta-p/260799

     

    I've attached a picture (sorry for the poor quality but the customer captured this) which is basically the error, as seen in debug logs from the samba file, on the CLI.

    The actual error reads:

    sam_logon returned ACCESS_DENIED. Maybe the DC has Restrict NTLM set or the trust account password was changed and we didn't know it. Killing connections to domain XYZ.



  • 6.  RE: CPPM & NTLM error

    EMPLOYEE
    Posted Apr 24, 2019 03:53 AM

    Could it be that the customer 'hardened' the AD and disabled NTLM? I found this page that describes how you can do that. The message should be different, NTLM Blocked, according to that page.

     

    Please work with Aruba TAC to get this further investigated.



  • 7.  RE: CPPM & NTLM error

    Posted Apr 25, 2019 08:28 AM

    I had them check any GPOs they might have for NTLM related settings, all seemed to be "not defined".

     

    I had aso checked that link, thank you.

     

    Working with Aruba TAC we found out that error, but since it was resolved when using an older DC, it seemed that Aruba was pointing to AD (which is most likely valid) and kind of "stepping away".

     

     



  • 8.  RE: CPPM & NTLM error

    EMPLOYEE
    Posted Apr 03, 2020 11:33 AM

    Evangelos,

     

    Were you ever able to determine the root cause of this? I'm seeing identical behavior with a customer now. 

     

     

    Thanks!



  • 9.  RE: CPPM & NTLM error

    Posted Apr 03, 2020 11:45 AM

    Hi,

    No, the customer was not keen on looking further into it, and their AD was out of the project scope and access.

     

    I can tell you that it's related to NTLM and Samba, and specific Microsoft updates on these.

     

    When we used an AD that had not been updated, things worked just fine.

    Customer did not even know the specific updates that had been applied.



  • 10.  RE: CPPM & NTLM error

    EMPLOYEE
    Posted Apr 03, 2020 11:50 AM
    Thank you for the quick reply! That helps, and I will head down that path.


    [cid:2AB8E665-0626-46CE-81BC-C2C2BF735F30]
    JOSHUA WILLIAMS
    SYSTEMS ENGINEER | OKLAHOMA
    M: 405.693.3664 | @802dotMe

    WWW.ARUBANETWORKS.COM| FOLLOW US | Twitter | LinkedIn