topic Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED in Network Access Control

Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Fri, 19 Aug 2016 17:52:45 GMT

I am getting ERROR_RPC_NETLOGON_FAILED when authentication using MS-RPC against one domain controller. Kerberos test pass fine. If I use the other domain controller, both MS-RPC and Kerberos work. I built a new DC and only Kerberos works against it. I've read the bug id with AD and ISE related to this issue. Removed and Rejoined ISE to the domain but that only works if it goes to DC01. If it chooses DC02, MS-RPC fails.

Assuming this is a Microsoft Server issue but have not been able to find a fix. Anyone encountered this and found a resolution?

DC01 2012 Essentials Server - MS_RPC and Kerberos Pass

DC02 2012 Standard Server - MS_RPC Fails and Kerberos Pass

Active Directory Security log shows on the working DC a successful impersonation delegation and shows my username. On DC02 that is not working the impersonation delegation shows Null SID and not username.

MS_RPC Test from ISE

Error : Authentication encountered an error due to network, AD DNS misconfiguration. This may be a temporary error.

Processing Steps:

Resolving identity - username

Search for matching accounts at join point - domain.local

Single matching account found in forest - domain.local

Identity resolution detected single matching account

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

Failover threshold has been exceeded

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

hariholla — Tue, 23 Aug 2016 23:09:30 GMT

Is there a Firewall between ISE and the domain controllers?

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Tue, 23 Aug 2016 23:17:37 GMT

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

hslai — Wed, 24 Aug 2016 00:29:39 GMT

Is the same DC able to authenticate users on other domain-joined computers? If so, then please open a TAC case to investigate. If not, then it's best to consult with Microsoft support. Perhaps, the domain replication is not working correctly or something like that.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Wed, 24 Aug 2016 12:42:19 GMT

Yes, it authenticates everything else fine and works with ISE Kerberos test. I only have Partner ISE Licenses for Lab environment and do not have TAC support. That is why I tried this forum.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

hslai — Fri, 26 Aug 2016 21:02:04 GMT

Have you tried Microsoft forums yet? I have no idea why it needing impersonation at all and so far not finding anything useful in any of my searches.

Are you using some special access restrictions or some security measures to lock down the DC? A known extra permission needed by ISE (release 1.3+) is to grant ISE machine account or OU the read tokenGroups permission. This can be achieved by issuing the dsacls commands on each DC.

dsacls "OU=XYZ,OU=External,OU=Users,OU=EG,DC=myDemo,DC=aSLD,DC=aTLD" /I:T /G “[****ISE_MACHINE_NAME***]$":rp;tokenGroups

Which Microsoft event log did you find such info? I looked at my 2008R2 and none of the events like yours. Attached is my security events during a PC user auth against my DC.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

hslai — Fri, 26 Aug 2016 23:15:02 GMT

It appears Microsoft Windows Server 2012 and 2012 R2 added Impersonation Level in the event logs and "NULL SID" could appear in normal events. Attached is my 2012 R2 security events while testing MS-RPC user auth from my ISE 2.1.

BRKSEC-2132 - What's new in ISE Active Directory connector (2016 Berlin)

slide 130 shows how to disable encryption so to take a more useful packet capture in understanding communication problem between ISE and AD.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Wed, 31 Aug 2016 03:13:49 GMT

I performed the steps to disable encryption but since it is MS-RPC and not Kerberos I don't think it helped. Same error in packet capture as displayed in the error message when I run the test on ISE. My guess is that this is an AD Problem. No resolution on any MS Forums. I have the same GPO applied to DC01 that is working.

NetrLogonSamLogonEx response, STATUS_ACCESS_DENIED

I tried running the dsacls agains my user group and domain but the tokengroups was not recognized.

dsacls "OU=XYZ,OU=External,OU=Users,OU=EG,DC=myDemo,DC=aSLD,DC=aTLD" /I:T /G “[****ISE_MACHINE_NAME***]$":rp;tokenGroups

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

bwm0875 — Thu, 01 Sep 2016 16:03:00 GMT

I am having the same issue, NFR ISE and 2012r2.

I have not tried another DC yet. I have 3, will try that and continue to research.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Thu, 01 Sep 2016 16:40:21 GMT

Thank goodness I'm not the only one. I built a new DC and it didn't help.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

ChrisMurray — Fri, 02 Sep 2016 10:42:48 GMT

It does sound like the netlogon service on the DC is either not reachable or rejecting the connection.

A sniffer might not shed too much light on why.

If you can, I would suggest to enable netlogon debug and reproduce the issue and send us the netlogon debug log file.

This should give us some idea of what netlogon thinks is going on.

You can enable netlogon debug using nltest (easiest) or the Registry as per here:

https://support.microsoft.com/en-us/kb/109626 https://support.microsoft.com/en-us/kb/109626

I would be interested in seeing the results.

Thanks

Chris

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Sat, 03 Sep 2016 03:25:58 GMT

This does work on the working DC. So far I haven't found a fix for this on any MS forums. Can we force ISE to only user Kerberos and not MS_RPC?

PS C:\Windows\system32> nltest /DBFlag:2080FFFF

SYSTEM\CurrentControlSet\Services\Netlogon\Parameters set to 0x2080ffff

Flags: 0

Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

The command completed successfully

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Sat, 03 Sep 2016 04:00:22 GMT

Running dcdiag I found some errors about system volumes that lead me to enable DFS. After installing DFS I can now enable netlogon debugging. I will work on this later but looks like progress. I'll work through the errors in the dcdiag.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

hslai — Mon, 05 Sep 2016 01:56:13 GMT

It makes sense, sort of, according to this cifs protocol post -- [cifs-protocol] [REG:111071166110452] access denied in NetrLogonSamLogonEx

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Mon, 05 Sep 2016 14:55:01 GMT

DCDiag is needed to debug this issue fully. Once I realized that DFS needed to be installed to replicate the Sysvol, Netlogin, etc, the next error lead me restoring the sysvol. Everything works as expected now. Thanks for pointing me in the right direction with the netlogin debugging.

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3) « Jorge's Quest For Kn…

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

ChrisMurray — Mon, 05 Sep 2016 17:54:54 GMT

Great to hear you got it working.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

bwm0875 — Mon, 10 Oct 2016 16:18:41 GMT

hi guys, my apologies, i forgot to update my thread. I re-installed my AD as it was an upgraded directory from 2008r2 to 2012r2 over a couple of years. As i reviewed, I was actually having directory replication issues, so i decided to reload fresh on 2012r2. Everything is working as expected now. Thanks Goodness!!!

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

geeyc5113 — Mon, 13 Nov 2017 06:26:14 GMT

HI Guys,

I have the similar problem. But my case is a bit different. Both my PSN01 and PSN02 connected to same domain controller, DC01.

PSN01 --> DC01, RPC logon failed.

PSN02 --> DC01, RPC logon successful.

In this case, what could be the possibilities?

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

hslai — Mon, 13 Nov 2017 14:41:36 GMT

If your deployment has multiple domain controllers, please still investigate Active Directory health. For a single domain controller setup (e.g. in a lab), please wait for 5 minutes and see whether it recovers, as you might have hit CSCvf71029.

Please engage Cisco TAC for further troubleshoots.

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder — Mon, 13 Nov 2017 14:54:40 GMT

I just had this same issue. Both ISE Servers were joined to the domain, and one of them dropped off. I ran a diagnostics (same place you join to the domain) and it was failing on the two messages both related to Kerberos. AD was healthy. I can not remember what the exact fix was but it was something in ISE. I believe I failed it back to the primary server, rebooted it, checked NTP (Made some corrections to time sources I was syncing).

Run the diagnostic tool under External ID Sources/AD. This will give you the best direction to troubleshoot.