Core issue
This issue is due to the presence of Cisco Bug ID CSCsd52574.
When machine authentication, either Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) or Microsoft Challenge-Handshake Authentication Protocol (MS_CHAP), is attempted after the Cisco Secure Access Control Server (ACS) has lost and then regained connectivity to the global catalog server, authentication can fail and the MachineSPNToSAM: __DsCrackNames failed auth.log error message can be generated in the auth.log file.
This issue occurs in an environment where there is more than one global catalog server for the domain. ACS does not search for the secondary catalog server if the primary goes down.
Note: This issue is particularly seen when ACS is installed on a domain member server.
Resolution
The temporary workaround for this issue is to re-start csauth.exe.
In order to completely resolve this issue, download and apply the ACS patch version 4.1(1) or higher.