Couple of days ago I noticed a strange behavior on network adapter of dozens of clients in my environment. The users were not able to authenticate to their workstations, throwing secure channel error. When one of the helpdesk administrators informed me about this issue, I thought it might be a typical problem of operating system including incorrect DNS configuration or duplicate names, but this was strange because basically everything related to secure channel were in place. Computer accounts were enabled in ADUC, DNS records existed, logintimestamps were updated and etc. So I tried digging in the problem to see what I can find.
At first step, I notified that the NIC of computer showing ‘Unauthenticated’, so I was quite sure that this could be related to issue. I started investigating the NIC for that, but I didn’t find anything related on Event Viewer. After some hours of investigations and making sure that there is no firewall configuration blocking DC and Client communication, I noticed that the problematic operating systems were all deployed using a single image file. So having found out this, duplicate computer SID’s quickly ran through my head. As a result, I guided helpdesk admin on how to do a proper ‘SysPrep’ on one of the problematic clients and share the result. By a ‘Proper’ SysPrep, I mean to make sure that the ‘Generalize’ checkbox is checked which consequently generate a new SID once the PC is restarted.
It fixed the issue, however, SysPrep-ing all those clients was not a fancy solution because each time you do a SysPrep, you need to mess around with possible issues of user profile, outlook etc. Since I’d found out that secure channel was the problem, quickly I jumped in for repairing that secure channel. A quick fix for this issue is to dis-join and re-join the PC to the domain, but I’ve never been a fan of it. Instead I tried using PowerShell cmdlet ‘Reset-ComputerMachinePassword’ and ran it with domain administrator credentials (or possibly someone who has ‘Full Control’ on ‘Computer Account’) and repair secure channel.
One it is done you will need a restart to complete the process, and there is no need to ‘Reset’ computer account within ADUC.