ISE problem "Joined to domain but disconnected"

Unanswered Question
Feb 13th, 2013

                   Hi all experts.

I recently have experienced this issue.

I have been using ISE1.1.2.145 and joined to AD since the ISE was released, but never seen this error before.

I did not touch any configuration and I was trying to test CWA with multiple WLCs.

I finished all configuration about CWA, and I was verifing if it is working.

while I was trying to login as user on AD, I could not. so I looked up on External Identity Source and it apears.

does anyone know why it is giving me that error ?

the ISE and AD both see the same NTP and time difference between them is only 1 minute, timezone is same.

even though they are looking at the same NTP, it's outside of private network and it is isolated.

also, I am able to ping each other. DNS is working. I don't see why it is not working......

can anyone help me with this problem ?

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
cisconspasov Thu, 02/14/2013 - 19:31

NTP and timezones are very important for ISE. If both the AD and ISE are using the same NTP server then they should not be any variance between the two clocks. Can you:

1. Run "show ntp" from CLI and see if the association with the NTP server is correct

2. What happens when you try to connect to AD? (Make sure that the AD account has the proper permissions)

Thank you for rating!

harvisin Tue, 07/09/2013 - 21:28

Hello,

I went through your query and I guess there Can be several things for the issue to persist.

Just want to know if you had  run a detailed test connection from the GUI to see if any issues come up?

Without any other data, first guess would be the DNS name server setting on the Cli. IF AD is used, the CLI should be containing only Dns that know about AD.

For example, having a mix of DNS  name servers, some of which don't include AD info can cause this.

Next steps would be:

  1. run Detailed test      connection, send the output
  2. Set ad diagnositc debug      to full, perfrom a leave, wait  5 mins to ensure replication or      removal of machie account from AD, perform a join, and download the      ad_agent.log for investigation.
Jatin Katyal Wed, 07/10/2013 - 16:36

If you perform a Leave, wait for few minutes and Join to the domain, does it correct the issue?  To identify the cause of this issue, you would really need to capture the ad_agent logs and try to pinpoint what failed with the AD communication. That's the only way to get to the bottom of this.

~BR
Jatin Katyal

**Do rate helpful posts**

If you perform a Leave/Join of the domain, does it correct the issue?
cjkozloski Fri, 11/15/2013 - 06:07

I had this issue as well but my NTP settings were correct and the time was not slipped at all.

I logged into the cli and ran this: #sh logging application ad_agent.log tail

which led me to this error:

2013-11-15T07:55:57.177566-06:00 host-psn1 adclient[10469]: INFO  base.bind.healing Lost connection to DVN.COM(GC). Running in disconnected mode: KDC refused skey: Preauthentication failed

2013-11-15T07:55:57.282448-06:00 host-psn1 adclient[10469]: ERROR base.adagent Can't use default machine password. Please reset computer account in Active Directory.

Go into Active Directory Users and Computers and right click on the computer account object and click reset account.

Which resulted in these log entries:

2013-11-15T07:57:57.473370-06:00 host-psn1 adclient[10469]: INFO  samba.interop Attempting interoperability with untested Samba version .

2013-11-15T07:57:58.266485-06:00 host-psn1 adclient[10469]: INFO  base.bind.healing Reconnected to odcmsadrw002p.dvn.com(GC).  Running in connected

mode.

2013-11-15T07:58:25.006230-06:00 host-psn1 adclient[10469]: INFO  daemon.main Start trusted domain discovery

2013-11-15T07:58:25.058151-06:00 host-psn1 adclient[10469]: INFO  daemon.main Trusted domain discovery complete : 4 domains found

2013-11-15T07:58:25.058189-06:00 host-psn1 adclient[10469]: INFO  daemon.main Have new domain info map: flushing all negative objects

2013-11-15T07:58:25.100676-06:00 host-psn1 adclient[10469]: INFO  base.kerberos.krb5conf Wrote /etc/krb5.conf

That fixed me up. Hope this helps someone else out there.

Actions

Login or Register to take actions

This Discussion

Posted February 13, 2013 at 12:30 AM
Stats:
Replies:4 Avg. Rating:
Views:1725 Votes:1
Shares:0
Tags: No tags.

Discussions Leaderboard