Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7993
Views
0
Helpful
1
Replies

Machine account password error - 24485

Go to solution
eric.towery1
Level 1
Level 1

‎07-07-2017 05:47 AM

Team -

We are starting to roll out ISE in low impact and we are noticing an issue when it comes to some machines. Some machines hitting our low impact policy because of a specific error regarding machine passwords.

Error Code: 24485 Machine authentication against Active Directory has failed because of wrong password

We have noticed this is to be on the AD side because a machine password will expire at 30 days, the computer will communicate with a local domain controller to receive the new password. The replication from the local domain controller to the data center is set for every 15 minutes, which is where we think the problem happens. Due to replication, machines try to authenticate via peap and fail due to the passwords not being correct at the data center where the primary PSN is located. Machines are in a low impact state for 15-20 minutes while replication takes place.

Has anyone else experienced this issue and how did you resolve it?

Thank you greatly and looking forward to the feedback.

-Eric

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎07-07-2017 06:54 AM

The machine password is changed on the client per policy (every 30 days as default) and it is the client which updates the DC upon the change. Typically the password updates are immediate and does not follow the typical AD replication schedule. In the following article here from MS Technet shows that there is a Group Policy setting “Contact PDC on logon failure” which can affect the password replication. Can you check to see if it is enabled?

View solution in original post

0 Helpful
1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎07-07-2017 06:54 AM

The machine password is changed on the client per policy (every 30 days as default) and it is the client which updates the DC upon the change. Typically the password updates are immediate and does not follow the typical AD replication schedule. In the following article here from MS Technet shows that there is a Group Policy setting “Contact PDC on logon failure” which can affect the password replication. Can you check to see if it is enabled?

0 Helpful
Customers Also Viewed These Support Documents