- Community Home
- >
- Networking
- >
- IMC
- >
- Re: Latest MS patches broke UAM interop with MS AD
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 01:21 AM
11-25-2014 01:21 AM
Latest MS patches broke UAM interop with MS AD
I recently got trouble report from customer that after they patched their MS AD DC with latest MS patches, UAM authentication stoppped to work. All users were denied authentication with "E63118::Domain controller connect error" message.
This is related to UAM virtual computer account in AD. Because LDAP contact with server was fine, LDAP policy sync was working as it should be. So only other changes were those patches on MS Server 2008R2.
Even more so - customer uninstalled those patches and authentication resumed normal functionality so this is undeniable proof that one of those patches are to blame. iMC server was not patched.
Anyone else has ran into this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 07:09 AM
11-25-2014 07:09 AM
Re: Latest MS patches broke UAM interop with MS AD
Hi Marcis,
Do you know which patches (or reference to KB xx) were applied and then uninstalled ?
Do you know the config settings of the AD and UAM side ?
AD: OS/Domain level etc.
UAM: Domain controller version type
You can try to set the PEAP MS CHAPv2 configuration logging level to debug, and then look into the log file on the server. That helped me a few times in the past (do not forget to set the logging level back to normal as well)
I have recently done some test setups with Win 2012R2 (fully patched) and this UAM DC version option did not seem to matter anymore (2003vs2008), both just worked now... So I am a bit clueless now about what the option really means.
So for TS: if they apply the patch, you could also try to change the UAM PEAP MSCHAP DC Version, maybe this DC version type is related to the patch/security change on the actual DC ?
thanks,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2014 09:40 AM - edited 12-02-2014 09:49 AM
12-02-2014 09:40 AM - edited 12-02-2014 09:49 AM
Re: Latest MS patches broke UAM interop with MS AD
I can confirm that one (or more?) of these patches causes the issue E63118::Domain controller connect error with Domain assisted authentication against a 2008 R2 server set to use the 2003 configuration:
KB 3002885
KB 2993958
KB 2978120
KB 2978128
KB 2991963
I can also confirm that setting the Domain Controller OS Version to 2008 does not restore functionality to the patched system.