Start a Conversation

Solved!

Go to Solution

2299

November 29th, 2022 09:00

Recent Issues with Isilon & AD

Hello, everyone,

After some updates to our AD DCs over the weekend, our Isilon is failing to authenticate, but only when it negotiates to Kerberos authentication. If it negotiates down to NTLM, it works fine, but Kerberos does not work. I've done all of the usual - verified SPNs and such - but no luck.

In /var/log/lsassd.log, I'm seeing the following messages repeated quite frequently:

2022-11-29T12:32:02-05:00 <30.3> ISILON-2(id2) lsass[33831]: [lsass] Failed to authenticate user (name = 'Chuck_Norris') -> error = 40134, symbol = LW_ERROR_RPC_ERROR, client pid = 4294967295
2022-11-29T12:32:02-05:00 <30.3> ISILON-2(id2) lsass[33831]: [lsass] AD_NetrlogonOpenSchannel(dc1.example.com) failed with 3221225473 (0xc0000001) (symbol: 'STATUS_UNSUCCESSFUL')
2022-11-29T12:32:02-05:00 <30.4> ISILON-2(id2) lsass[33831]: [lsass] Failed to get Ntlm Target Info Type Error code: 40134 (symbol: (null))
2022-11-29T12:32:03-05:00 <30.3> ISILON-2(id2) lsass[33831]: [lsass] AD_NetrlogonOpenSchannel(dc1.example.com) failed with 3221225473 (0xc0000001) (symbol: 'STATUS_UNSUCCESSFUL')
2022-11-29T12:32:03-05:00 <30.3> ISILON-2(id2) lsass[33831]: [lsass] Failed to authenticate user (name = 'Chuck_Norris') -> error = 40134, symbol = LW_ERROR_RPC_ERROR, client pid = 4294967295

 Any hints would be greatly appreciated.

4 Posts

November 30th, 2022 10:00

The OneFS version is 7.2.0.3, AD DCs are Windows Server 2019.

That said, we were able to figure out the issue today - apparently the latest round of Windows Updates, applied over the weekend, change the default encryption for kerberos tickets to AES256, and it looks like the Isilon does not support that. We were able to resolve this by setting the msDS-SupportedEncryptionTypes property on the Isilon's computer account in the domain to 0x04 (decimal 4), which forces RC4. There's some discussion on this, here: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/bc-p/3682898/highlight/true#M4901

Moderator

 • 

6.9K Posts

November 30th, 2022 02:00

Hello vnick_coty,

Which version were you running and which version did you upgrade to?

No Events found!

Top