topic Re: Please ensure you have the in Network Access Control

Kerberos check SASL connectivity to AD

andrewsigna — Mon, 11 Mar 2019 06:27:14 GMT

Hi!

DNS, AD service, and NTP server all all synced between ISE and the AD instance we are trying to sync here.

The one remaining test that fails is Kerberos, here is the error message:

Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings

Does anyone know how to remedy this situation?

Thanks!

Please ensure you have the

Jatin Katyal — Thu, 04 Feb 2016 03:28:28 GMT

Please ensure you have the below listed network Ports open between the ISE and AD for communication. The error message you have listed suggest that Port 445 (MSRPC) and 88 (kerberos) are blocked in between.

Protocol	Port (remote-local)	Target	Authenticated	Notes
DNS (TCP/UDP)	Random number greater than or equal to 49152	DNS Servers/AD Domain Controllers	No	—
MSRPC	445	Domain Controllers	Yes	—
Kerberos (TCP/UDP)	88	Domain Controllers	Yes (Kerberos)	MS AD/KDC
LDAP (TCP/UDP)	389	Domain Controllers	Yes	—
LDAP (GC)	3268	Global Catalog Servers	Yes	—
NTP	123	NTP Servers/Domain Controllers	No	—
IPC	80	Other ISE Nodes in the Deployment	Yes (Using RBAC credentials)	—

~ Jatin

Re: Please ensure you have the

Willieh13 — Tue, 05 Dec 2017 23:04:00 GMT

I have the same error, and no firewall is installed on the DC.

Re: Please ensure you have the

mprstacic — Fri, 20 Apr 2018 09:49:29 GMT

Coming late to this party, but had the same problem recently.

Adding A record of your AD server to your DNS server resolved this problem for me. These two tests were failing with the exact same error you mentioned.

Kerberos check SASL connectivity to AD

Kerberos test obtaining join point TGT

Something like this was added to DNS

win2008.homelab.local. IN A 192.168.0.100

Re: Please ensure you have the

gagandeeps1 — Wed, 17 Jul 2019 05:49:27 GMT

Can you add more details. I have exactly same problem. I have single node ISE deployment reunning admin, PSN and MnT personas on it.

I am joining ISE node to abc.com domain and on doing nslookup to abc.com i am getting 10.10.10.10 (DC IP). Same DC is running DNS Server too. My ISE server ip is 10.10.10.20.

Could you advise what DNS record i need. Appreciate your help.

Re: Please ensure you have the

Jason Kunst — Thu, 18 Jul 2019 21:19:59 GMT

Please see the requirements under https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#reference_EA017E71F25145C9A1374373ABFA102E

Re: Kerberos check SASL connectivity to AD

torkis.halomoan — Fri, 19 Jun 2020 07:52:08 GMT

Bro, what do you do to solve this issue ? I have same issue with you

Re: Kerberos check SASL connectivity to AD

Willieh13 — Fri, 19 Jun 2020 11:53:09 GMT

Check time between NAC and AD controller. Needs to be within 5 minutes or so or Kerberos will fail.

Re: Kerberos check SASL connectivity to AD

torkis.halomoan — Tue, 23 Jun 2020 08:11:51 GMT

Solved : Troubleshoot with rejoin AD to cisco ISE, Thank you for answer (y).

Re: Kerberos check SASL connectivity to AD

benjamin.gillies — Mon, 30 Nov 2020 01:29:14 GMT

The same thing happened to me and I resolved it by adding a host entry into my forward lookup zone.

Go to your Windows Server DNS manager > forward lookup zones > the zone you have created that your ISE/AD server uses. In my case it is 'mylab.local'
Create a new host entry under that zone.

The name field will be the hostname of ISE. If you are unsure of what it is, check the report under the test details in your diagnostic tool menu. It will mention at the top, 'Diagnostic Report for ISE node: my-ise-server.mylab.local'
Go back to your windows server and enter as your name and then under the IP address field, enter the IP of your ISE node.

Save changes and restart your DNS server service. Then try to re-join your AD in ISE from scratch again.

Thanks all for the pointers!

Re: Kerberos check SASL connectivity to AD

JanusBarinan60286 — Mon, 04 Jan 2021 08:28:45 GMT

I have this same error on one node.

DNS -> check

FW ports -> check

Delegated permission to join for the user account -> check

Able to resolve domain -> check

time sync with Domain Controller -> check

Last option I am looking at is patching ISE.

Does anyone here have a different solution?