after changing domain (child.domain.net --> domain.net), our Windows 7 clients are no longer able to authenticate to the IAS server (802.1x switch port won't allow them onto the network). Clients, IAS server, and domain controllers (from legacy and new domain) are all on the same subnet (so it is not an AD replication issue). IAS server is a member server, not a DC, of domain.net. I checked the log files and found out that authentication is failing. We are using computer authentication with 802.1x
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 11/7/2014
Time: 5:19:54 PM
User: N/A
Computer: IASServer
Description:
User host/client.domain.net was denied access.
Fully-Qualified-User-Name = DOMAINNETBIOS\host/client.domain.net
NAS-IP-Address = x.x.x.x
NAS-Identifier =
Called-Station-Identifier = ff-ee-dd-cc-bb-aa
Calling-Station-Identifier = aa-bb-CC-dd-ee-ff
Client-Friendly-Name = mySwitch
Client-IP-Address = x.x.x.x
NAS-Port-Type = Ethernet
NAS-Port = 50339
Proxy-Policy-Name = 802.1x during AD migration
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user account does not exist.
The computer object can be found in AD right after the domain join takes place (checked it with dsquery from the IAS server). I also tried to fool around with the connection request policies to get the username changed to the proper format of DOMAINNETBIOS\client$, but this did not work as expected.
If we wait for some time (a few hours), the issue resolves itself. I don't know exactly what happens to the client or to AD that would resolve this issue after a few hours.
Did anyone run into a similar issue?
Thanks.
UPDATE 11/11: I found the solution. Apparently, IAS is looking for the ServicePrincipalName and the DNSHostName of the computer object in Active Directory. For one reason or another, the SPN and the DNSHostName do not get updated immediately when joining the new domain. You can update these attributes using ADSIEdit. That fixed the issue for us.