Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1226
Views
0
Helpful
0
Comments

Machine authentication fails across multiple domain with Cisco Secure ACS that gets the "NTLIB: Could not find machine host" error message in logs

TCC_2
Level 10
Level 10

‎06-18-2009 03:59 PM - edited ‎02-21-2020 09:54 PM

Core issue

This issue occurs due to presence of Cisco bug ID CSCsi04187.

In a multiple forest Active Directory environment Microsoft Protected
Extensible Authentication Protocol (MS-PEAP), machine authentication fails to any forest ACS is not a part of if the machine name is sent in DNS format. host/ format is not supported until ACS 4.1.1.23.

For example, if ACS is in Forest1 and host/machine.com is in Forest2, authentication fails with these error messages:

CSWinAgent 03/05/2007 09:26:26 A 0063 2708 NTLIB: Could not find machine host/test.one.ads.che.org [1390]
CSWinAgent 03/05/2007 09:26:26 A 0063 2708 NTLIB: host/test.one.ads.che.org is not a valid machine name

Resolution

In order to resolve this issue, there are two workarounds:

  1. Install radius on the second forest and make ACS proxy to it.
  2. Configure the supplicant to send the machine name in host/ format. Many supplicants do not have this option.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents