Security

 View Only

  • 1.  ClearPass Authentiation Error after adding AD-User to Protected Users Security Group

    Posted Jun 20, 2025 07:32 AM
      |   view attached

    Hello community.

    One of my customers uses his on prem AD accounts for administrative login to ClearPass. For this there is a service that uses the AD as authentication source and assigns an authorization to this user in the enforcement according to the groups in the AD, e.g. Super Admin.

    This has worked without any problems so far.

    In the course of securing the AD, the customer has now been advised to add his admin-users to the Windows group "protected users". (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)

    After that, the login for these accounts no longer worked.

    The error message was "Incorrect password for user=... Failed to authenticate user"

    I assume this is because NTLM logins are no longer possible with these accounts.

    Is there a way to connect the ClearPass to the AD in a different way or does the user have to be removed from the group again?



    ------------------------------
    Steffen
    ------------------------------


  • 2.  RE: ClearPass Authentiation Error after adding AD-User to Protected Users Security Group

    Posted Jun 22, 2025 11:48 AM

    Hello Steffen,

    The challenge you are experiencing is related to the restrictions of the Windows "Protected Users" group. According to Microsoft, members of this group cannot use NTLM authentication, which is required for Aruba ClearPass administrator logins via Active Directory.

     Short-term:

    Take the affected admin accounts out of the Protected Users group. This should let you log back in to ClearPass without any issues.

    Long-term:

    If your organization needs to keep the Protected Users group for security reasons, it's best to keep at least one administrative account outside the group for ClearPass, until Kerberos authentication is supported.

    Take a peek at Microsoft, PUG overview.

    Hope this helps you in any way.


    Cheers,

    Vigan




  • 3.  RE: ClearPass Authentiation Error after adding AD-User to Protected Users Security Group

    Posted Jun 23, 2025 02:59 AM

    Hi Vigan,

    thanks for your reply.

    Do you know if aruba has any plans to support Kerberos for Admin-UI-Authentication in the near future?

    Regards



    ------------------------------
    Steffen
    ------------------------------

    Original Message


  • 4.  RE: ClearPass Authentiation Error after adding AD-User to Protected Users Security Group

    Posted Jun 23, 2025 03:46 AM

    Hi Steffen,

    Well, multiple submissions in Innovate requesting support for Kerberos as an authentication source, in light of Microsoft's decision to deprecate NTLM. Below I've provided the link to the Aruba innovation zone discussion.

    https://innovationzone.arubanetworking.hpe.com/ideas/NAC-I-2163

    This feature is now classified as a future consideration

    Cheers,

    Vigan


    Original Message


Related Content