cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7838
Views
0
Helpful
1
Replies

Machine account password error - 24485

eric.towery1
Level 1
Level 1

Team -

We are starting to roll out ISE in low impact and we are noticing an issue when it comes to some machines. Some machines hitting our low impact policy because of a specific error regarding machine passwords.

Error Code: 24485 Machine authentication against Active Directory has failed because of wrong password

We have noticed this is to be on the AD side because a machine password will expire at 30 days, the computer will communicate with a local domain controller to receive the new password. The replication from the local domain controller to the data center is set for every 15 minutes, which is where we think the problem happens. Due to replication, machines try to authenticate via peap and fail due to the passwords not being correct at the data center where the primary PSN is located. Machines are in a low impact state for 15-20 minutes while replication takes place.

Has anyone else experienced this issue and how did you resolve it?

Thank you greatly and looking forward to the feedback.

-Eric

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

The machine password is changed on the client per policy (every 30 days as default) and it is the client which updates the DC upon the change. Typically the password updates are immediate and does not follow the typical AD replication schedule. In the following article here from MS Technet shows that there is a Group Policy setting “Contact PDC on logon failure” which can affect the password replication. Can you check to see if it is enabled?

View solution in original post

1 Reply 1

howon
Cisco Employee
Cisco Employee

The machine password is changed on the client per policy (every 30 days as default) and it is the client which updates the DC upon the change. Typically the password updates are immediate and does not follow the typical AD replication schedule. In the following article here from MS Technet shows that there is a Group Policy setting “Contact PDC on logon failure” which can affect the password replication. Can you check to see if it is enabled?