iMC UAM MS AD authentication issue (2210 Views)
Reply
Occasional Advisor
MarcisB
Posts: 14
Registered: ‎01-20-2013
Message 1 of 11 (2,210 Views)

iMC UAM MS AD authentication issue

Hello

 

For several weeks i've been fighting with this problem.
I need to set up UAM authentication with Microsoft AD. Client PC is part of lab domain and thus uses domain certificate without iNode client (the way our customer would like it to be). That means EAP-PEAP with MSCHAPv2
In my lab i have one ProCurve 2824 switch and several virtual servers - one of which runs iMC with UAM, another has AD DC and third is certificate server. I have set up whole structure, imported certificates into iMC etc.

 

iMC and UAM version is the latest:

Intelligent Management Platform (JF378A) iMC PLAT 5.1 SP1 (E0202P05)
User Access Manager (JF388A) iMC UAM 5.1 SP1 (E0301H04)


Unfortunately client authentication fails, in switch traffic capture i see UAM asking switch for MD5 authentication which is immideately refected by windows who wants MSCHAPv2.
in the mschapv2server log file i see the following:

[Feb 19, 2013 11:43:16 AM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is uam.imc.lab
[Feb 19, 2013 11:43:16 AM][Trace]: MSChapAuthServer():addInistialRequestMessage(): tunnel active packet: 00000000h: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 04 ;................
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000020h: 01 06 74 65 73 74 02 0D 75 61 6D 2E 69 6D 63 2E ;..test..uam.imc.
00000030h: 6C 61 62 03 0A 68 E1 09 F0 F4 0C A7 2A 04 1A 9C ;lab..h......*...
00000040h: 58 28 CE 59 9D 67 80 3B D1 9E 9C 0D 1E 72 6F 26 ;X(.Y.g.;.....ro&
00000050h: 1D 0F 79 01 B1 E1 4D ;..y...M
[Feb 19, 2013 11:43:16 AM][Debug]: Trigger one authentication request as parameters refreshed.
[2013-02-19 11:43:16.494] [Debug] [HashMapForCache::cleanMap]Find expired object...
[2013-02-19 11:43:16.547] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(LVLABIMC2.UAM.IMC.LAB/TESTACCOUNT)
[2013-02-19 11:43:16.564] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.32.12.29[\PIPE\NETLOGON] with identity uam.imc.lab\testAccount$
[2013-02-19 11:43:16.967] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2013-02-19 11:43:16.990] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2013-02-19 11:43:16.991] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2013-02-19 11:43:17.0] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {UAM.IMC.LAB={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, ~={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, UAM={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}}
[2013-02-19 11:43:17.19] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[Feb 19, 2013 11:43:17 AM][Trace]: The authentication error msg: The account is not found: uam.imc.lab\test, and error code: 4
[2013-02-19 11:43:17.388] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The account is not found: uam.imc.lab\test>
mscv2js.c.d: The account is not found: uam.imc.lab\test
at mscv2js.b.a.a(Unknown Source)
at mscv2js.b.b.b(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)
[Feb 19, 2013 11:43:17 AM][Trace]: The mschapv2 authentication user msg:The account is not existed on DC.
<java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
at java.net.PlainDatagramSocketImpl.send(Native Method)
at java.net.DatagramSocket.send(DatagramSocket.java:625)
at mscv2js.server.g.a(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)

 

I have done all installation and configuration according to manuals. EAP-PEAP assisted DC authentication is set up. In the log one can see that UAM asks DC for virtual computer (which i left default), which passes. Then, out from nowhere comes this "test" account which is no way present in iMC. I suspect this is the reason why authentication fails and UAM reverts to MD5.
I created "test" user on DC, but since i have no idea what password should be it still fails.
Can anyone please point me what i am doing wrong?

 

Thanks in advance!
Marcis

Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 313
Registered: ‎03-21-2011
Message 2 of 11 (2,195 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

Can you provide some more info on the client supplicant configuration ?

Which client os are you using, if windows, did you configure user or computer auth ?

Can you check the client pc computername, does it happen to be test ?

 

It could be possible that the computer accounts have not be synced between uam and AD (ldap), so when the client pc authenticates with the pc account, it will fail, so uam possibly proposes an alternate auth method (md5), since the peap failed.

 

So make sure the sync the computers container/ou as well as the users container/ou in the ldap sync policies,

 

Best regards,Peter

Please use plain text.
Honored Contributor
LindsayHill
Posts: 676
Registered: ‎11-16-2011
Message 3 of 11 (2,192 Views)

Re: iMC UAM MS AD authentication issue

This doesn't directly fix your problem, but HP released IMC 5.2 today. BYOD is a focus for them right now, so you might like to try out the latest code, see if your problem is still there.

 

My guess is that support is just going to tell you to upgrade anyway.

CCIE 36708 | @northlandboy | lkhill.com
Please use plain text.
Occasional Advisor
MarcisB
Posts: 14
Registered: ‎01-20-2013
Message 4 of 11 (2,179 Views)

Re: iMC UAM MS AD authentication issue

Hello Peter

 

Thanks for the response! :)

 

I attached my ProCurve 2824 switch config.

 

Port 1 is for uplink, ports 2 and 3 are where client authentication goes on.

10.32.12.26 is an address of iMC server

10.32.12.27 is switch's IP

 

i also verified that when i reconfigure RADIUS on switch to talk directly to MS AD DC, it works like charm. Of course i have configured NAP on MS DC.

 

I use Windows 7 PC with windows native buil-in 801.x authenticator. I would prefer to avoid using iNode because this is what our customer wants. On windows i left it at default which is both user and computer authentication.

Client PC computername is "SMNdemo". Only thing close to "test" is testlab domain user "imctest" which i use for logging in.

 

I tried to sync computers OU but it does not work, sync fails because computer accounts are represented by their name with "$" added. And since iMC does not accepts $ sign sync fails totally.

 

Please use plain text.
Occasional Advisor
MarcisB
Posts: 14
Registered: ‎01-20-2013
Message 5 of 11 (2,178 Views)

Re: iMC UAM MS AD authentication issue

Thanks!

I tried 5.2 but it did not solve the issue. I suspect i am doing something wrong but i ran out of ideas what exactly.
Please use plain text.
Occasional Visitor
nappy513
Posts: 3
Registered: a month ago
Message 6 of 11 (199 Views)

Re: iMC UAM MS AD authentication issue

Resurrecting an old thread here.  Probably going to open a support ticket, but I'm dealing with the same issue in 7.0 E0202.  Device authentication works fine through AD, but I can't get 802.1x to work from MSM APs (MSM controller).  I did find that the EAP type is dictated by the 'default access policy' configured on the access service assigned to the authenticating user.  If certificate authentication isn't defined in the default policy, IMC seems to default to EAP-MD5 as a challenge type (doesn't seem to make too much sense, but it isn't the issue at hand).  At this point, it would have been so much easier to do this in NPS (wtb NAS Id condition), but the customer wants UAM.

 

The authentication failure cause is listed as: E63121::receive no packet from mschapv2server.

 

The request isn't even showing up in the mschapv2 log.  Netstat shows that mschapv2server is running on the port assigned in domain assisted PEAP authentication.

 

I do see the same recurring message in the log about a failure to authenticate with a "domani\test" account--I'm not testing from this.  As the other posters pointed out, no idea what the "test" account is used for or what credentials it is trying to use.  I've tried making a "test" account in AD (reflected below).  Also not sure why IMC would want to change the password for the test account (LDAP error -1073741718).  Not sure where to go from here... hopefully I'm just mising something

 

Details from the mschapv2 log:

[Jun 12, 2014 10:19:14 PM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is domain.local
[2014-06-12 22:19:14.758] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(NPSDC1.domain.local/IMC-VCOMP)
[2014-06-12 22:19:14.761] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.3.1.10[\PIPE\NETLOGON] with identity domain.local\imc-vcomp$
[2014-06-12 22:19:14.809] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2014-06-12 22:19:14.812] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2014-06-12 22:19:14.813] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2014-06-12 22:19:14.818] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {NPS={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, domain.local={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, ~={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}}
[2014-06-12 22:19:14.821] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[2014-06-12 22:19:14.830] [Debug] [MSChapAuth::mschapv2Validate]ldap fetch error code is -1073741718
[2014-06-12 22:19:14.830] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The supplied credentials are invalid: domain.local\test>
mscv2js.c.d: The supplied credentials are invalid: domain.local\test
    at mscv2js.b.a.a(Unknown Source)
    at mscv2js.b.b.b(Unknown Source)
    at mscv2js.server.f.a(Unknown Source)
    at mscv2js.server.i.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:724)

 <java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
    at java.net.DualStackPlainDatagramSocketImpl.socketSend(Native Method)
    at java.net.DualStackPlainDatagramSocketImpl.send(DualStackPlainDatagramSocketImpl.java:133)
    at java.net.DatagramSocket.send(DatagramSocket.java:676)
    at mscv2js.server.h.a(Unknown Source)
    at mscv2js.server.f.a(Unknown Source)
    at mscv2js.server.i.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:724)

 

Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 313
Registered: ‎03-21-2011
Message 7 of 11 (184 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

What type of EAP auth are you trying to configure ?

AFAIK, EAP PEAP MSCHAPv2 is not possible for computer authentication, only EAP-TLS (client cert based) is possible.

Since you mention the mschapv2server process, I have the impression you are trying to setup EAP PEAP MSCHAPv2, which does not work (yet, I heard this might be included in the future).

 

Please use plain text.
Occasional Visitor
nappy513
Posts: 3
Registered: a month ago
Message 8 of 11 (178 Views)

Re: iMC UAM MS AD authentication issue

Peter, thanks for the response.

 

Yes, I'm trying to do PEAP MS-CHAPv2, but only for user authentication.  Is this not supported by IMC?  If not, what options are available for 802.1x user authentication?

 

Thanks

Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 313
Registered: ‎03-21-2011
Message 9 of 11 (167 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

* eap peap mschapv2 is supported for user auth.

* did you set the Domain controller OS version to "2003 or earlier" ? I know this does not sound intuitive, but the parameter does not link directly to the OS version or domain/forest level, but to some kerberos/mschap auth level type. Most people do not have this enabled on the domain, so the original auth type should be used (described as 2003 or earlier in this parameter).

 

hth,Peter

Please use plain text.
Occasional Visitor
nappy513
Posts: 3
Registered: a month ago
Message 10 of 11 (156 Views)

Re: iMC UAM MS AD authentication issue

I do have it set at 2003 to match the domain functional level.  I opened a case, so we'll see where this goes.  I'll provide an update once progress is made

 

Thanks

Please use plain text.
New Member
denclan
Posts: 1
Registered: yesterday
Message 11 of 11 (28 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

I'm seeing the same issue at the moment on IMC v7.0 . Did you get it resolved?

 

I'm getting client authentication failures with code "E63053::Invalid authentication type" via the IMC interface.

 

Regards,

denclan

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation