Security

Hello,

I have 2 clearpass servers 6.5.5 and ms windows 2012 domain controllers. Everything was working fine until i joined a second domain controller into the network and now none of my users can authenticate. I've removed both clearpass servers from the domain and rejoined them (multiple times), multiple reboots as both members and nonmembers of the domain, time is sync'd on all parties, cli command "ad testjoin" comes back ok on both clearpass servers but every time a user tries to authenticate to AD i get the error message "nt_status_access_denied: (0xc0000022)" . I can browse the base dn in my authentication source on both servers on both primary and backup DC auth sources. Googling my error message comes back with samba share junk. I have no idea what broke or how to fix it. Any help or ideas would be great. Thanks!

Just a thing

Check if you still have the valid peap certificate on the secondary Domain controller.

Also do u have a wlc from where u can do aaa test user and u can get the even viewer logs to check it out in case it is a certificate issue.

I've ran a aaa test user from a controller and get the same error on clearpass. I've also removed all reference to the second dc from clearpass and only used the original dc, same results.

Also during troubleshooting I stood up a brand new clearpass vm, left it as its own publisher, joined it into the domain and immediately got the same authentication failure results, so I'm confident that this is a MS issue.

It is possible that the user you are testing with only has rights to login from a limited set of computers?  This has nothing to do with the PEAP certificate on the ClearPass server, by the way...

Colin,

I'm using my domain admin account for auth testing, and the clearpass bind account is a service account that was created specfically for cleearpass, also has domain admin privilages. There are no restrictions on "logon to" options inside the user accounts in AD. Anyone a airheads want to sit down and show me where I'm screwed up?? =D

Was wondering if you ever figured this out.

I'm having this exact same issue.  I upgraded to 6.6.1 and joined 2 subscribers to my publisher and now I can not do MS-CHAPv2.  Regular RADIUS and TACACS+ work fine, but any MS-CHAPv2 based service is hosed.  Did you ever find a solution?

I am having a similar issue on CPPM 6.6.1.84176 I am getting the error below when trying to log on to our domain directly from CPPM. The AD connection seems to be OK though, since I am able to read/list the AD objects through the GUI. 

[appadmin@cppm]# ad auth -u USER -n DOMAIN
password:
ERROR - NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)
[appadmin@cppm]#