Re: Windows A/D Authentication Failed (Error 1300L)

dwhisinnand · ‎10-25-2005

I currently have in place CS ACS Solution Engine v3.3.3 and the Remote Agent is installed on Windows Server 2003. I'm using a lab environment to test Authentication to network switches and routers using ACS as Radius with Windows A/D as the backend. I have had success with the authentication using the CiscoSecure DB but when I change it to Windows DB I get the follwing error in the log:

CSWinAgent 10/24/2005 14:42:34 A 0433 2004 RPC: NT_MSCHAPAuthenticateUser reply sent

CSWinAgent 10/24/2005 15:00:06 A 0254 3468 RPC: NT_ForAllNTTrustedDomains received

CSWinAgent 10/24/2005 15:00:06 A 0048 3468 NTLIB: Found 1 trusted domains

CSWinAgent 10/24/2005 15:00:06 A 0048 3468 NTLIB: trusted domain 1 [Domain-Name]

CSWinAgent 10/24/2005 15:00:06 A 0048 3468 NTLIB: Found 0 trusted domains

CSWinAgent 10/24/2005 15:00:06 A 0287 3468 RPC: NT_ForAllNTTrustedDomains reply sent

CSWinAgent 10/24/2005 15:01:33 A 0121 0564 Client connecting from XX.XX.XX.XXX:1935

CSWinAgent 10/24/2005 15:01:34 A 0371 2940 RPC: NT_MSCHAPAuthenticateUser received

CSWinAgent 10/24/2005 15:01:34 A 0048 2940 NTLIB: Attempting Windows authentication for user JohnDoe

CSWinAgent 10/24/2005 15:01:34 A 0048 2940 NTLIB: Windows authentication FAILED (error 1300L)

CSWinAgent 10/24/2005 15:01:34 A 0433 2940 RPC: NT_MSCHAPAuthenticateUser reply sent

CSWinAgent 10/24/2005 15:01:37 A 0371 2940 RPC: NT_MSCHAPAuthenticateUser received

CSWinAgent 10/24/2005 15:01:37 A 0048 2940 NTLIB: Attempting Windows authentication for user JohnDoe

CSWinAgent 10/24/2005 15:01:37 A 0048 2940 NTLIB: Windows authentication FAILED (error 1300L).

I installed the RemoteAgent with a Domain Admin Acct. and the CSAgent Service is running with the same acct. Also the external DB is established and the Unknown User Policy is enabled.

Any suggestions??

TIA

gfullage · ‎10-26-2005

1300L is a privilege problem. See here for details:

http://support.microsoft.com/kb/155012/EN-US/

Basically we usually see this when the remote agent is installed on a member server and the user the services are running as does not have the correct privilege's set up.

Make sure that Domain Admin account has the "Act as part of Operating System" and "Logon as a Service" security Policy set. Normally no-one has this set, not even Administrator. You can add the policy for this username under the Local Security Policy menu, then under Local Policies - User Rights Policy.

dwhisinnand · ‎11-02-2005

Looking into the CSWINAgent log file, I determined that the authentication request was being "forwarded" to a different Windows Server and failing. Talking to one of our Systems Admins, I determined that the Remote Agent was in fact installed on a Domain Controller, but its role might not provide the service needed to do the username query. Furthermore, he went on the explain that we have a number of DCs in our evnironment, but that they each act as different "roles." Apparently the Remote Agent is smart enough to recognize that the current DC in which the Remote Agent was installed on could not perform the task requested and looked for the DC that could (the log file gave me the name of the DC that could). The Systems Admin stated that the DC that the log file was pointing to was the "PDC emulator" in our native envirnoment. So in short, I installed it on the suspected DC and everything works great. I did have to that the Domain Admin to the security Policy that you stated. I have been doing 802.1X machine and user auth ever since without issue. Thanks for your help.