cancel
Showing results for 
Search instead for 
Did you mean: 

Machine authentication fails

Dominik_
Occasional Contributor

Machine authentication fails

Hi,

I have troubles using machine authentication. I use UAC 3.1 on a IC 4500. I configured an "Active Directory/Windows NT" authentication server and joined the Windows domain. All DCs are only Windows Server 2003, so no 2008 troubles.

I installed the OAC on a test machine. I followed the KB article KB10483 and set "Use machine credentials".

This works like a charm. Then I wanted to refine my role mapping rules and use group membership of the computer account to map to different rules. Now the authentication failed and in the policy trace I find:

GetUserGroups: Finding user sid of user failed. user 'rappaport02$' does not exist

At the same time, the domain controller logs an 527 authentication failed log. If I go back and use only role mapping rules based on the username, everything runs very well.

I joined a Linux machine to the domain and used wbinfo to verify that I can list all groups of the computer account - works perfectly.

If I replace "Use machine credentials" with a statically user account that belongs to the same group, everything works as expected, even with group mapping rules enabled. So the problem only appears when I use machine credentials together with group membership rules.

Any ideas?

Regards,

Dominik

4 REPLIES 4
mnarine_
Contributor

Re: Machine authentication fails

Enable authentication policy tracing on the IC and see if you have any issues with WinBind. I had a similar issue in the past where AD accounts worked fine but computer accounts did not work. The problem turned out to be that the account used to connect to the AD (auth servers) did not have sufficient rights to do a winbind so it failed machine authentication.

Also, from the location where you define the AD server on the IC, make sure there are no erros when you run the TEST to verify AD connectivity from IC to AD.

-Mike

Dominik_
Occasional Contributor

Re: Machine authentication fails

Hi Mike,

thanks for your respone.

I performed my tests with the domain administrator account. See it should have enough permissions to perform the authentication. I also recreated the AD/WinNT authentication server, just to be sure. Didn't help.

Also machine authentication per se works, only when group membership comes into play, I get this problem.

I have already enabled authentication und pre-authentication policy trace but the only error I can see are that I already mentioned, nameley:

GetUserGroups: Finding user sid of user failed. user 'rappaport02$' does not exist

I have no idea why the GetUserGroups functions fails. The computer account definitly exists and if I use non group-related filter rule, authentications works perfectly. And my Linux testbox with SAMBA could resolve the groups of the machine account (with wbinfo) without any problem.

Maybe I can use the method from KB14345. Although it is a workaround for Win2K it may work in 2K3 as well. But I would need some more help what custom filter expression I should use that incoroprates the <USERNAME> variable.

Regards,

Dominik

Rabbit_
Contributor

Re: Machine authentication fails

Dominik, The issue seems to lie with the group that is marked as the object's "Primary Group" within ADUC.

Can you try adding the machines to a different(new) group, and then trying to role map based on that new group?

mnarine_
Contributor

Re: Machine authentication fails

Dominik,


If you search your AD for 'rappaport02', does it show up? If so, what OU is it part of? I have this working at several location, even with nested OU and it works fine.

In the trace logs, do you see any errors or messages about "winbind"?

-Mike