Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29881
Views
6
Helpful
21
Replies

Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

Go to solution
nsn-amagruder
Level 5
Level 5

‎08-19-2016 10:52 AM

I am getting ERROR_RPC_NETLOGON_FAILED when authentication using MS-RPC against one domain controller.  Kerberos test pass fine.  If I use the other domain controller, both MS-RPC and Kerberos work.  I built a new DC and only Kerberos works against it.  I've read the bug id with AD and ISE related to this issue.  Removed and Rejoined ISE to the domain but that only works if it goes to DC01.  If it chooses DC02, MS-RPC fails.

Assuming this is a Microsoft Server issue but have not been able to find a fix.  Anyone encountered this and found a resolution?

DC01 2012 Essentials Server  -  MS_RPC and Kerberos Pass

DC02 2012 Standard Server    -  MS_RPC Fails and Kerberos Pass

Active Directory Security log shows on the working DC a successful impersonation delegation and shows my username.  On DC02 that is not working the impersonation delegation shows Null SID and not username.

MS_RPC Test from ISE

Error                   : Authentication encountered an error due to network, AD DNS misconfiguration. This may be a temporary error.

Processing Steps:

Resolving identity - username

Search for matching accounts at join point - domain.local

Single matching account found in forest - domain.local

Identity resolution detected single matching account

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

Failover threshold has been exceeded

4 people had this problem
21 Replies 21

Go to solution
ChrisMurray
Cisco Employee
Cisco Employee
In response to nsn-amagruder

‎09-05-2016 10:54 AM

Great to hear you got it working.

0 Helpful

Go to solution
bwm0875
Level 1
Level 1

‎10-10-2016 09:18 AM

hi guys, my apologies, i forgot to update my thread. I re-installed my AD as it was an upgraded directory from 2008r2 to 2012r2 over a couple of years. As i reviewed, I was actually having directory replication issues, so i decided to reload fresh on 2012r2. Everything is working as expected now.   Thanks Goodness!!!

Go to solution
geeyc5113
Level 1
Level 1

‎11-12-2017 10:26 PM

HI Guys,

I have the similar problem.  But my case is a bit different.  Both my PSN01 and PSN02 connected to same domain controller, DC01. 

PSN01 --> DC01,  RPC logon failed.

PSN02 --> DC01, RPC logon successful.

In this case, what could be the possibilities?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to geeyc5113

‎11-13-2017 06:41 AM

If your deployment has multiple domain controllers, please still investigate Active Directory health. For a single domain controller setup (e.g. in a lab), please wait for 5 minutes and see whether it recovers, as you might have hit CSCvf71029.

Please engage Cisco TAC for further troubleshoots.

0 Helpful

Go to solution
geeyc5113
Level 1
Level 1
In response to hslai

‎11-13-2017 06:58 AM

It has nothing to do with the flapping.  We have used 3 user IDs for troubleshooting.

User ID A

PSN01 --> DC01, RPC logon success

PSN02 --> DC01, RPC logon success

User ID B

PSN01 --> DC01, RPC logon success

PSN02 --> DC01, RPC logon failed

User ID C

PSN01 --> DC01, RPC logon failed

PSN02 --> DC01, RPC logon failed.

With these 3 User ID, we are stucked and unable to identify where would be the problem. I have reset the AD connector, and also restart the application services, still no luck. Anyway, we have lodge TAC case to investigate.  Still waiting for the investigation results.  Just incase anyone of you have the similar experience, which may help to solve the issue.

0 Helpful

Go to solution
nsn-amagruder
Level 5
Level 5
In response to geeyc5113

‎11-13-2017 06:54 AM

I just had this same issue.  Both ISE Servers were joined to the domain, and one of them dropped off.  I ran a diagnostics (same place you join to the domain) and it was failing on the two messages both related to Kerberos.  AD was healthy.  I can not remember what the exact fix was but it was something in ISE.  I believe I failed it back to the primary server, rebooted it, checked NTP (Made some corrections to time sources I was syncing).

Run the diagnostic tool under External ID Sources/AD.  This will give you the best direction to troubleshoot.

0 Helpful

Go to solution
geeyc5113
Level 1
Level 1
In response to nsn-amagruder

‎11-13-2017 07:03 AM

diagnostic tools had been run and all nodes are healthy.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents