HPE Community
IMC
1751822 Members
5191 Online
108782 Solutions
New Discussion юеВ

Latest MS patches broke UAM interop with MS AD

 
MarcisB
Occasional Advisor

тАО11-25-2014 01:21 AM

тАО11-25-2014 01:21 AM

Latest MS patches broke UAM interop with MS AD

I recently got trouble report from customer that after they patched their MS AD DC with latest MS patches, UAM authentication stoppped to work. All users were denied authentication with "E63118::Domain controller connect error" message.

This is related to UAM virtual computer account in AD. Because LDAP contact with server was fine, LDAP policy sync was working as it should be. So only other changes were those patches on MS Server 2008R2. 

Even more so - customer uninstalled those patches and authentication resumed normal functionality so this is undeniable proof that one of those patches are to blame. iMC server was not patched.

Anyone else has ran into this?

0 Kudos
2 REPLIES 2
Peter_Debruyne
Honored Contributor

тАО11-25-2014 07:09 AM

тАО11-25-2014 07:09 AM

Re: Latest MS patches broke UAM interop with MS AD

Hi Marcis,

 

Do you know which patches (or reference to KB xx) were applied and then uninstalled ?

Do you know the config settings of the AD and UAM side ?

AD: OS/Domain level etc.

UAM: Domain controller version type

 

You can try to set the PEAP MS CHAPv2 configuration logging level to debug, and then look into the log file on the server. That helped me a few times in the past (do not forget to set the logging level back to normal as well)

 

I have recently done some test setups with Win 2012R2 (fully patched) and this UAM DC version option did not seem to matter anymore (2003vs2008), both just worked now... So I am a bit clueless now about what the option really means.

 

So for TS: if they apply the patch, you could also try to change the UAM PEAP MSCHAP DC Version, maybe this DC version type is related to the patch/security change on the actual DC ?

 

thanks,Peter

0 Kudos
NeilR
Esteemed Contributor

тАО12-02-2014 09:40 AM - edited тАО12-02-2014 09:49 AM

тАО12-02-2014 09:40 AM - edited тАО12-02-2014 09:49 AM

Re: Latest MS patches broke UAM interop with MS AD

I can confirm that one (or more?) of these patches causes the issue E63118::Domain controller connect error with Domain assisted authentication against a 2008 R2 server set to use the 2003 configuration:

 

KB 3002885

KB 2993958

KB 2978120

KB 2978128

KB 2991963

 

I can also confirm that setting the Domain Controller OS Version to 2008 does not restore functionality to the patched system.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.