Reset Search
 

 

Article

Identity Engines Clients Unable to Authenticate Due to NTLM Error "STATUS_INVALID_WORKSTATION"

« Go Back

Information

 
TitleIdentity Engines Clients Unable to Authenticate Due to NTLM Error "STATUS_INVALID_WORKSTATION"
Symptoms
  • User or machine account authentications fail.
  • The Access record for such an attempt will show the LastAuthException or failure reason as:
LastAuthException:    Authentication failed: NTLM error: 3221225584 : STATUS_INVALID_WORKSTATION

 

Environment
  • Identity Engines Ignition
  • All Software Releases
  • Active Directory
  • LDAP
Cause
  • If an Active Directory LDAP-based user's account is restricted to access a list of specific workstation identities instead of unrestricted access to all computers then such a user will be denied access by the Identity Engines Ignition Server.
Resolution

To workaround this limitation, the Identity Engines Ignition Server machine / computer accounts must also be added to the restricted users Logon Workstations list.

  1. Identify the machine account names for the Identity Engines Ignition Server(s).
    • Via Command Line, use "show version" to identify the "NodeName" value. This is the MAC address or machine account name registered in Active Directory. This action must be performed on each node if part of a HA (high availability) cluster.
    • Via Dashboard select Configuration -> Actions -> Trouble Ticket. Review the trouble ticket data and show version output as noted above for the NodeName value.
  2. Locate the user record in the Active Directory Domain (default Domain -> Users).
  3. Edit the user's Properties, select Account -> Log On To...
  4. Add the NodeName machine account names to the users restricted Computer Name list.
Additional notes
By default Active Directory LDAP users have no account restrictions and can log in from any computer, any computer name. Active Directory LDAP users with account log on restrictions to only allow successful logins from specific workstation computer names will be denied access by Identity Engines.

The Identity Engines Ignition Server while acting as a RADIUS / Active Directory proxy does not impersonate the machine / computer account name of the authenticating client when performing authentication or user lookup requests.

Identity Engines uses its own locally registered machine account on the Active Directory domain to authenticate or perform user lookup requests. If one or both Identity Engines machine accounts (single IDE or HA high availability IDE) are not present on the restricted user accounts then such authentication requests will fail.

An example failure Access log is below:

id:     274229
time:   2014-03-26 20:15:24 GMT
attr_list:
        catId:    10
        msgId:    12
        ADDomainAsset:    Not Applicable
        AssignedAsset:    Not Applicable
        AuthServerName:   
        AuthenticationDecision:    Authentication Failed
        AuthenticatorIpAddr:    192.168.1.1
        AuthenticatorName:    E3000_5Ghz
        AuthenticatorType:    Wireless
        AuthorizationDecision:    Deny
        AuthorizationRuleIds:   
        Calling-Station-Id-Attr:    d022beebfbfe
        CredentialValidationPolicy:    EAP_MSCHAPV2
        Description:    RADIUS Request Rejected
        DeviceMAC:   
        DeviceOSType:   
        DeviceOSVersion:   
        DeviceSubtype:   
        DeviceType:   
        DirectoryServiceName:   
        EmbeddedAsset:    Not Applicable
        Id:    3099002
        InnerIdentity:    identityengines\testuser
        LastAuthException:    Authentication failed: NTLM error: 3221225584 : STATUS_INVALID_WORKSTATION
        LicenseGID:   
        LicenseOID:   
        NAS-IP-Addr-Attr:    192.168.1.1
        NAS-Port-Attr:    46
        PostureProfileName:   
        PostureResult:    Not Applicable
        ProvisioningValues:   
        ResultCode:    0
        ServiceCatName:    default-radius-user
        SubauthenticatorName:   
        TunnelProtocol:    PEAP
        User-Name-Attr:    identityengines\testuser
        UserId:    testuser

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255