Solved: Active Directory Authentication ERROR_RPC_NETLOGON_FAILED

nsn-amagruder · ‎08-19-2016

I am getting ERROR_RPC_NETLOGON_FAILED when authentication using MS-RPC against one domain controller. Kerberos test pass fine. If I use the other domain controller, both MS-RPC and Kerberos work. I built a new DC and only Kerberos works against it. I've read the bug id with AD and ISE related to this issue. Removed and Rejoined ISE to the domain but that only works if it goes to DC01. If it chooses DC02, MS-RPC fails.

Assuming this is a Microsoft Server issue but have not been able to find a fix. Anyone encountered this and found a resolution?

DC01 2012 Essentials Server - MS_RPC and Kerberos Pass

DC02 2012 Standard Server - MS_RPC Fails and Kerberos Pass

Active Directory Security log shows on the working DC a successful impersonation delegation and shows my username. On DC02 that is not working the impersonation delegation shows Null SID and not username.

MS_RPC Test from ISE

Error : Authentication encountered an error due to network, AD DNS misconfiguration. This may be a temporary error.

Processing Steps:

Resolving identity - username

Search for matching accounts at join point - domain.local

Single matching account found in forest - domain.local

Identity resolution detected single matching account

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local

Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED

Failover threshold has been exceeded

nsn-amagruder · ‎09-05-2016

DCDiag is needed to debug this issue fully. Once I realized that DFS needed to be installed to replicate the Sysvol, Netlogin, etc, the next error lead me restoring the sysvol. Everything works as expected now. Thanks for pointing me in the right direction with the netlogin debugging.

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3) « Jorge's Quest For Kn…

View solution in original post

hariholla · ‎08-23-2016

Is there a Firewall between ISE and the domain controllers?

nsn-amagruder · ‎08-23-2016

No

hslai · ‎08-23-2016

Is the same DC able to authenticate users on other domain-joined computers? If so, then please open a TAC case to investigate. If not, then it's best to consult with Microsoft support. Perhaps, the domain replication is not working correctly or something like that.

nsn-amagruder · ‎08-24-2016

Yes, it authenticates everything else fine and works with ISE Kerberos test. I only have Partner ISE Licenses for Lab environment and do not have TAC support. That is why I tried this forum.

hslai · ‎08-26-2016

Have you tried Microsoft forums yet? I have no idea why it needing impersonation at all and so far not finding anything useful in any of my searches.

Are you using some special access restrictions or some security measures to lock down the DC? A known extra permission needed by ISE (release 1.3+) is to grant ISE machine account or OU the read tokenGroups permission. This can be achieved by issuing the dsacls commands on each DC.

dsacls "OU=XYZ,OU=External,OU=Users,OU=EG,DC=myDemo,DC=aSLD,DC=aTLD" /I:T /G “[****ISE_MACHINE_NAME***]$":rp;tokenGroups

Which Microsoft event log did you find such info? I looked at my 2008R2 and none of the events like yours. Attached is my security events during a PC user auth against my DC.

nsn-amagruder · ‎08-30-2016

I performed the steps to disable encryption but since it is MS-RPC and not Kerberos I don't think it helped. Same error in packet capture as displayed in the error message when I run the test on ISE. My guess is that this is an AD Problem. No resolution on any MS Forums. I have the same GPO applied to DC01 that is working.

0

NetrLogonSamLogonEx response, STATUS_ACCESS_DENIED

I tried running the dsacls agains my user group and domain but the tokengroups was not recognized.

dsacls "OU=XYZ,OU=External,OU=Users,OU=EG,DC=myDemo,DC=aSLD,DC=aTLD" /I:T /G “[****ISE_MACHINE_NAME***]$":rp;tokenGroups

hslai · ‎08-26-2016

It appears Microsoft Windows Server 2012 and 2012 R2 added Impersonation Level in the event logs and "NULL SID" could appear in normal events. Attached is my 2012 R2 security events while testing MS-RPC user auth from my ISE 2.1.

BRKSEC-2132 - What's new in ISE Active Directory connector (2016 Berlin)

slide 130 shows how to disable encryption so to take a more useful packet capture in understanding communication problem between ISE and AD.

bwm0875 · ‎09-01-2016

I am having the same issue, NFR ISE and 2012r2.

I have not tried another DC yet. I have 3, will try that and continue to research.

nsn-amagruder · ‎09-01-2016

Thank goodness I'm not the only one. I built a new DC and it didn't help.

ChrisMurray · ‎09-02-2016

It does sound like the netlogon service on the DC is either not reachable or rejecting the connection.

A sniffer might not shed too much light on why.

If you can, I would suggest to enable netlogon debug and reproduce the issue and send us the netlogon debug log file.

This should give us some idea of what netlogon thinks is going on.

You can enable netlogon debug using nltest (easiest) or the Registry as per here:

https://support.microsoft.com/en-us/kb/109626 https://support.microsoft.com/en-us/kb/109626

I would be interested in seeing the results.

Thanks

Chris

nsn-amagruder · ‎09-02-2016

This does work on the working DC. So far I haven't found a fix for this on any MS forums. Can we force ISE to only user Kerberos and not MS_RPC?

PS C:\Windows\system32> nltest /DBFlag:2080FFFF

SYSTEM\CurrentControlSet\Services\Netlogon\Parameters set to 0x2080ffff

Flags: 0

Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

The command completed successfully

nsn-amagruder · ‎09-02-2016

Running dcdiag I found some errors about system volumes that lead me to enable DFS. After installing DFS I can now enable netlogon debugging. I will work on this later but looks like progress. I'll work through the errors in the dcdiag.

hslai · ‎09-04-2016

It makes sense, sort of, according to this cifs protocol post -- [cifs-protocol] [REG:111071166110452] access denied in NetrLogonSamLogonEx

nsn-amagruder · ‎09-05-2016

DCDiag is needed to debug this issue fully. Once I realized that DFS needed to be installed to replicate the Sysvol, Netlogin, etc, the next error lead me restoring the sysvol. Everything works as expected now. Thanks for pointing me in the right direction with the netlogin debugging.

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3) « Jorge's Quest For Kn…