Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
5
Helpful
3
Replies

Where in the log to find successful/failed Windows machine authentication

KelvinT
Level 1
Level 1

‎06-23-2020 03:13 PM

Hi,

 

Do anyone know where in Windows logs (event viewer, NETLOGON, etc.) to see a successful machine authentication or/and failure?  On the client and server side.

 

If possible do you have log examples of both?

 

I have a client that is using ISE MAR and seeing on ISE logs:

 

ISE has not confirmed locally previous successful machine authentication for user in Active Directory
ISE peers have not confirmed previous successful machine authentication for user in Active Directory
 
I found a few search results pointing to NETLOGON in system event viewer and enabling netlogon debug and viewing the netlogon.log.  Neither gave a clear log showing success/failure.
 
Thanks.
0 Helpful
3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎06-23-2020 09:44 PM

Have a look at Advanced troubleshooting 802.1X authentication 

 

Those failure logs could be related to the MAR cache timing out or other known issues with MAR. If you're not familiar with them already, I would suggest reviewing the following documents.

Machine Access Restriction Pros and Cons 

Network World - Machine Authentication and User Authentication

 

0 Helpful

KelvinT
Level 1
Level 1
In response to Greg Gibbs

‎06-24-2020 06:56 AM

Hi Greg,

 

Thanks for the response.

 

The 1st link is for Windows NPS.

 

I am familiar with the next 2 link.  The MAR cache is set at 6 hrs.  I also have a pair of PSN grouped to share MAR cache.

 

I'm trying to find logs to confirm and/or deny Windows machine authc.

 

Thanks again Greg

0 Helpful

KelvinT
Level 1
Level 1
In response to KelvinT

‎06-24-2020 09:06 AM - edited ‎06-24-2020 09:13 AM

Hello,

 

I found this link which was very helpful.

https://www.itprotoday.com/strategy/understanding-and-detecting-secure-channel-problems

 

If we use the command below as an admin on the machine/PC it will do 1 of 2 things:

1-  confirm/deny a secured channel issue.  i.e. machine authz issue.

2- Fix the secured channel issue.

 

Note:  Replace DOMAINNAME with your domain

command:  nltest /sc_verify:DOMAINNAME

 

Example of a successful test:

C:\>nltest /sc_verify:americas
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DD3-AM-DC-03.americas.fabrikam.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

Anything else is an issue.

 

The result of this changed the status in ISE to show successful machine authz.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents