IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Latest MS patches broke UAM interop with MS AD

MarcisB
Occasional Advisor

Latest MS patches broke UAM interop with MS AD

I recently got trouble report from customer that after they patched their MS AD DC with latest MS patches, UAM authentication stoppped to work. All users were denied authentication with "E63118::Domain controller connect error" message.

This is related to UAM virtual computer account in AD. Because LDAP contact with server was fine, LDAP policy sync was working as it should be. So only other changes were those patches on MS Server 2008R2. 

Even more so - customer uninstalled those patches and authentication resumed normal functionality so this is undeniable proof that one of those patches are to blame. iMC server was not patched.

Anyone else has ran into this?

2 REPLIES
Peter_Debruyne
Honored Contributor

Re: Latest MS patches broke UAM interop with MS AD

Hi Marcis,

 

Do you know which patches (or reference to KB xx) were applied and then uninstalled ?

Do you know the config settings of the AD and UAM side ?

AD: OS/Domain level etc.

UAM: Domain controller version type

 

You can try to set the PEAP MS CHAPv2 configuration logging level to debug, and then look into the log file on the server. That helped me a few times in the past (do not forget to set the logging level back to normal as well)

 

I have recently done some test setups with Win 2012R2 (fully patched) and this UAM DC version option did not seem to matter anymore (2003vs2008), both just worked now... So I am a bit clueless now about what the option really means.

 

So for TS: if they apply the patch, you could also try to change the UAM PEAP MSCHAP DC Version, maybe this DC version type is related to the patch/security change on the actual DC ?

 

thanks,Peter

NeilR
Respected Contributor

Re: Latest MS patches broke UAM interop with MS AD

I can confirm that one (or more?) of these patches causes the issue E63118::Domain controller connect error with Domain assisted authentication against a 2008 R2 server set to use the 2003 configuration:

 

KB 3002885

KB 2993958

KB 2978120

KB 2978128

KB 2991963

 

I can also confirm that setting the Domain Controller OS Version to 2008 does not restore functionality to the patched system.