https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4026831#M454221 Hello Mike,<BR /><BR />Thanks for the answer.<BR />I have informed the customer about the "Active Directory Account Permissions Required to Perform Various Operations"<BR />For the join operation, the account used is definitely correct. I have already sent to the customer the "Cisco ISE Machine Accounts" permissions in order to double-check.<BR /><BR /> Mon, 10 Feb 2020 14:07:18 GMT kostasthedelegate 2020-02-10T14:07:18Z https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4026727#M454013 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I have a new ISE deployment with two nodes.&nbsp;</P><P>I have a problem with user authentication against Active Directory.&nbsp;</P><P>When I try to authenticate a user I get the following error:</P><P>24371&nbsp;&nbsp;&nbsp; The ISE machine account does not have the required privileges to fetch groups. - ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS</P><P>24371&nbsp;&nbsp;&nbsp; The ISE machine account does not have the required privileges to fetch groups. - xxx-xxx</P><P>&nbsp;</P><P>I have tried this solution&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200780-Fix-Active-Directory-group-retrieval-iss.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200780-Fix-Active-Directory-group-retrieval-iss.html</A></P><P>but if I am not mistaken is per user, so it is not scalable.&nbsp;</P><P>&nbsp;</P><P>The customer says that the accounts have the required privileges.&nbsp;</P><P>Any hint?</P><P>&nbsp;</P><P>Thanks and regards,&nbsp;</P><P>Konstantinos</P> Mon, 10 Feb 2020 10:46:49 GMT https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4026727#M454013 kostasthedelegate 2020-02-10T10:46:49Z https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4026823#M454220 I would take a peek here: <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html</A><BR /> Mon, 10 Feb 2020 13:50:55 GMT https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4026823#M454220 Mike.Cifelli 2020-02-10T13:50:55Z https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4026831#M454221 Hello Mike,<BR /><BR />Thanks for the answer.<BR />I have informed the customer about the "Active Directory Account Permissions Required to Perform Various Operations"<BR />For the join operation, the account used is definitely correct. I have already sent to the customer the "Cisco ISE Machine Accounts" permissions in order to double-check.<BR /><BR /> Mon, 10 Feb 2020 14:07:18 GMT https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4026831#M454221 kostasthedelegate 2020-02-10T14:07:18Z https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4135967#M562332 <P>Try this fix to reset the computer account permissions:</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200349-ISE-1-3-AD-Authentications-Fail-with-Err.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200349-ISE-1-3-AD-Authentications-Fail-with-Err.html</A></P><P>&nbsp;</P> Fri, 14 Aug 2020 13:15:18 GMT https://community.cisco.com/t5/network-access-control/error-token-groups-insufficient-permissions/m-p/4135967#M562332 avinash4567 2020-08-14T13:15:18Z