https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4013980#M454881 <P>To use the fix, we need configure a registry key in AD Advanced Tuning page in ISE:</P> <P>Registry Key:<BR />REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\WorkaroundForFalseFailedLoginEvent</P> <P>By default the registry key is set to NO.</P> <P>Set it to YES to use the fix.</P> Sat, 18 Jan 2020 18:26:02 GMT hslai 2020-01-18T18:26:02Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4001456#M454875 <P>I am seeing what is described here:</P> <P>&nbsp;</P> <P><A href="https://social.technet.microsoft.com/Forums/en-US/d2869c14-a0e8-4084-b555-6172cd9c703a/cisco-ise-and-ad-authentication?forum=winserverDS" target="_self">https://social.technet.microsoft.com/Forums/en-US/d2869c14-a0e8-4084-b555-6172cd9c703a/cisco-ise-and-ad-authentication?forum=winserverDS</A>&nbsp;</P> <P>&nbsp;</P> <P>The poster describes forcing ISE to use Kerberos instead of MS-RPC.&nbsp; I don't see any setting like that in ISE.&nbsp; I know when I do a&nbsp; Test User against AD I can simulate this exact issue.&nbsp; When I use MS-RPC I get the duplicate 4776 logs on the domain controller (failure followed by a success).&nbsp; If I changed to Kerberos life is good.&nbsp; Just not sure how to force ISE to use Kerberos for 802.1x auth.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 19 Dec 2019 18:26:36 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4001456#M454875 paul 2019-12-19T18:26:36Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4001586#M454876 <P>There is an option in ISE under External Identity Sources-&gt;Active Directory-&gt;&lt;Your Domain&gt;-&gt;"Advanced Authentication Settings" called "Use Kerberos for Plain Text Authentication".&nbsp; I think that may force ISE to use Kerberos instead of MS-RPC.&nbsp; If that doesn't work, then you can block TCP/UDP/135 at a firewall and ensure that TCP/88 is open.</P> Thu, 19 Dec 2019 23:01:20 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4001586#M454876 Colby LeMaire 2019-12-19T23:01:20Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4001635#M454877 Yeah we aren’t doing plain text authentication. I saw that setting as.well.<BR /> Fri, 20 Dec 2019 02:19:55 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4001635#M454877 paul 2019-12-20T02:19:55Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4012587#M454878 Thu, 16 Jan 2020 12:54:41 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4012587#M454878 supporto rai 2020-01-16T12:54:41Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4012625#M454879 <P>I saw the same issue while migrating fron ACS to ISE 2.3 LWA authentication.</P><P>Since PAP authentication was involved I got rid of the duplicated events switching from RPC to kerberos for plain text protocols.</P><P>This was against cisco recommendation bus our AD forest is quite simple so I took the risk.</P><P>Now we are migrating wired and wireless dot1x to ISE as well and the issue is present again because of peap ms-chapv2, this is a not plain text protocol so I am afraid that user can be authenticated just with NTLM over RPC because ISE migth not be able to know user password and do "kerberos proxy".</P><P>The good news is that at the end Cisco admitted that</P><P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf45991/?rfs=iqvred" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf45991/?rfs=iqvred</A></P><P>is not a microsoft only issue.</P><P>It seems that patch 10 for ISE 2.4 fixed it.</P><P>We are going to install patch 11 finger crossing</P><P>Regards</P><P>MM</P> Thu, 16 Jan 2020 12:57:08 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4012625#M454879 marco.merlo 2020-01-16T12:57:08Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4013483#M454880 <P>Hi patch 11 did not solve the issue.</P><P>MM</P> Fri, 17 Jan 2020 14:36:35 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4013483#M454880 marco.merlo 2020-01-17T14:36:35Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4013980#M454881 <P>To use the fix, we need configure a registry key in AD Advanced Tuning page in ISE:</P> <P>Registry Key:<BR />REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\WorkaroundForFalseFailedLoginEvent</P> <P>By default the registry key is set to NO.</P> <P>Set it to YES to use the fix.</P> Sat, 18 Jan 2020 18:26:02 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4013980#M454881 hslai 2020-01-18T18:26:02Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4014416#M454882 Great.<BR />The advanced tuneing page reports<BR />"This page should only be used under instruction from Cisco Support. Parameter values can be adjusted to tune the Active Directory Connection"<BR />Should I ask TAC for support?<BR />Regards<BR />MM<BR /> Mon, 20 Jan 2020 07:32:40 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4014416#M454882 marco.merlo 2020-01-20T07:32:40Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4014732#M454883 <P>Sure, if you like.</P> <P>Please keep in mind that the two failure audit log entries is due to DC trying its local DB first before reaching out to the real AD.&nbsp;This happens because ISE uses UPN.</P> <P>The fix with the registry key is to use sAMAccountName with a non-empty domain name. This may potentially cause ambiguity, as it's not as unique as UPN.</P> <P>Thus, my recommendation is not to use it unless sAMAccountName is real unique in your deployment(s).</P> Mon, 20 Jan 2020 15:52:48 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4014732#M454883 hslai 2020-01-20T15:52:48Z https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4015078#M454884 <P>Thank you very much.</P><P>Actually on our ActiveDirectory&nbsp;<SPAN>sAMAccountName</SPAN>&nbsp; are unique even between trusted domains, anyway&nbsp; we have just one kerberos realm per domain. So if with this configuration ise sends&nbsp;sAMAccountName&nbsp; along with NTB domain name, it should work.</P><P>Do you think the patch might&nbsp; rise some issue in trusted domain searches given that there are not duplicated&nbsp;sAMAccountName between trusted domain?</P><P>I asked our TAM to reach for ISE BU and ask them to write down some official documentation about this patch.</P><P>I saw that the configuration makes AD connector to restart with less then a minute traffic disruption but TAC is not able to confirm because of lack of documentation</P><P>Regards</P><P>MM</P> Tue, 21 Jan 2020 06:50:47 GMT https://community.cisco.com/t5/network-access-control/ad-security-event-4776/m-p/4015078#M454884 marco.merlo 2020-01-21T06:50:47Z