cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

8589
Views
6
Helpful
21
Replies
Contributor

Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

I am getting ERROR_RPC_NETLOGON_FAILED when authentication using MS-RPC against one domain controller.  Kerberos test pass fine.  If I use the other domain controller, both MS-RPC and Kerberos work.  I built a new DC and only Kerberos works against it.  I've read the bug id with AD and ISE related to this issue.  Removed and Rejoined ISE to the domain but that only works if it goes to DC01.  If it chooses DC02, MS-RPC fails.

Assuming this is a Microsoft Server issue but have not been able to find a fix.  Anyone encountered this and found a resolution?

DC01 2012 Essentials Server  -  MS_RPC and Kerberos Pass

DC02 2012 Standard Server    -  MS_RPC Fails and Kerberos Pass

Active Directory Security log shows on the working DC a successful impersonation delegation and shows my username.  On DC02 that is not working the impersonation delegation shows Null SID and not username.

MS_RPC Test from ISE

Error                   : Authentication encountered an error due to network, AD DNS misconfiguration. This may be a temporary error.

Processing Steps:

Resolving identity - username

Search for matching accounts at join point - domain.local

Single matching account found in forest - domain.local

Identity resolution detected single matching account

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

Failover threshold has been exceeded

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

DCDiag is needed to debug this issue fully.  Once I realized that DFS needed to be installed to replicate the Sysvol, Netlogin, etc, the next error lead me restoring the sysvol.  Everything works as expected now.  Thanks for pointing me in the right direction with the netlogin debugging.

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3) « Jorge's Quest For Kn…

View solution in original post

21 REPLIES 21
Cisco Employee

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

Is there a Firewall between ISE and the domain controllers?

Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

No

Cisco Employee

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

Is the same DC able to authenticate users on other domain-joined computers? If so, then please open a TAC case to investigate. If not, then it's best to consult with Microsoft support. Perhaps, the domain replication is not working correctly or something like that.

Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

Yes, it authenticates everything else fine and works with ISE Kerberos test.  I only have Partner ISE Licenses for Lab environment and do not have TAC support.  That is why I tried this forum. 

Cisco Employee

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

Have you tried Microsoft forums yet? I have no idea why it needing impersonation at all and so far not finding anything useful in any of my searches.

Are you using some special access restrictions or some security measures to lock down the DC? A known extra permission needed by ISE (release 1.3+) is to grant ISE machine account or OU the read tokenGroups permission. This can be achieved by issuing the dsacls commands on each DC.

dsacls "OU=XYZ,OU=External,OU=Users,OU=EG,DC=myDemo,DC=aSLD,DC=aTLD" /I:T /G “[****ISE_MACHINE_NAME***]$":rp;tokenGroups

Which Microsoft event log did you find such info? I looked at my 2008R2 and none of the events like yours. Attached is my security events during a PC user auth against my DC.

Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

I performed the steps to disable encryption but since it is MS-RPC and not Kerberos I don't think it helped.  Same error in packet capture as displayed in the error message when I run the test on ISE.  My guess is that this is an AD Problem.  No resolution on any MS Forums. I have the same GPO applied to DC01 that is working.

0NetrLogonSamLogonEx response, STATUS_ACCESS_DENIED

I tried running the dsacls agains my user group and domain but the tokengroups was not recognized. 

  1. dsacls "OU=XYZ,OU=External,OU=Users,OU=EG,DC=myDemo,DC=aSLD,DC=aTLD" /I:T /G “[****ISE_MACHINE_NAME***]$":rp;tokenGroups 
Cisco Employee

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

It appears Microsoft Windows Server 2012 and 2012 R2 added Impersonation Level in the event logs and "NULL SID" could appear in normal events. Attached is my 2012 R2 security events while testing MS-RPC user auth from my ISE 2.1.

BRKSEC-2132 - What's new in ISE Active Directory connector (2016 Berlin)

slide 130 shows how to disable encryption so to take a more useful packet capture in understanding communication problem between ISE and AD.

Highlighted
Beginner

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

I am having the same issue, NFR ISE and 2012r2.

I have not tried another DC yet. I have 3, will try that and continue to research.

Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

Thank goodness I'm not the only one.  I built a new DC and it didn't help. 

Cisco Employee

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

It does sound like the netlogon service on the DC is either not reachable or rejecting the connection.

A sniffer might not shed too much light on why.

If you can, I would suggest to enable netlogon debug and reproduce the issue and send us the netlogon debug log file.

This should give us some idea of what netlogon thinks is going on.

You can enable netlogon debug using nltest (easiest) or the Registry as per here:

https://support.microsoft.com/en-us/kb/109626https://support.microsoft.com/en-us/kb/109626

I would be interested in seeing the results.

Thanks

Chris

Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

This does work on the working DC.  So far I haven't found a fix for this on any MS forums.  Can we force ISE to only user Kerberos and not MS_RPC?

PS C:\Windows\system32> nltest /DBFlag:2080FFFF

SYSTEM\CurrentControlSet\Services\Netlogon\Parameters set to 0x2080ffff

Flags: 0

Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

The command completed successfully

Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

Running dcdiag I found some errors about system volumes that lead me to enable DFS.  After installing DFS I can now enable netlogon debugging.  I will work on this later but looks like progress.  I'll work through the errors in the dcdiag.

Cisco Employee

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

It makes sense, sort of, according to this cifs protocol post -- [cifs-protocol] [REG:111071166110452] access denied in NetrLogonSamLogonEx

Contributor

Re: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

DCDiag is needed to debug this issue fully.  Once I realized that DFS needed to be installed to replicate the Sysvol, Netlogin, etc, the next error lead me restoring the sysvol.  Everything works as expected now.  Thanks for pointing me in the right direction with the netlogin debugging.

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3) « Jorge's Quest For Kn…

View solution in original post