topic ISE Passive ID Error with WMI Config or Agent Install in Network Access Control

ISE Passive ID Error with WMI Config or Agent Install

paul — Mon, 19 Jun 2017 14:55:09 GMT

I am getting the error below when trying to configure WMI. I almost get a similar error if I try to deploy the agent instead, i.e. remote copy failed to set credentials. I am using a domain admin account and I didn't see anything obvious when I turned on debug for Passive ID and didn't see anything obvious.

I can go through all the steps to check what the Config WMI script is supposed to do, but I thought the only prerequisite to running the Config WMI was the ID used was a member of Domain Admins.

Re: ISE Passive ID Error with WMI Config or Agent Install

Timothy Abbott — Mon, 19 Jun 2017 15:05:10 GMT

You are correct. The only requirements are domain admin privileges as well as the ability for ISE / ISE-PIC to have access through windows firewalls. Check out the troubleshooting section of the ISE-PIC admin guide verify you AD instance is set up properly. Also, we have an ISE-PIC specific community that you can post these types of questions to in the future: Passive Identity Connector (PIC)

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01000.html#id_31521

Regards,

-Tim

Re: ISE Passive ID Error with WMI Config or Agent Install

pramakasha — Thu, 26 Jul 2018 08:03:23 GMT

Hi, I have the same problem "Unable to run executable on dc3.test.corp, The IseExec remote execution functionality failed to read response"

One difference I have 3 DC in one domain.

dc1 is win server 2012 - ISE-PIC works fine

dc2 is win server 2016 (upgraded from win server 2012) -ISE-PIC works fine

dc3 is win server 2016 - ISE-PIC doesn`t works.

Firewall on dc3 is disabled and account from which I connect is domain admin.

ISE dubug constantly shows this massage:

"2018-07-25 15:37:47,334 DEBUG [Thread-19][] com.cisco.idc.dc-probe- DCOM timeout reached on DC. Identity Mapping.NTLMv2 = true , Identity Mapping.dc-domainname = test.corp , Identity Mapping.probe = WMI , Identity Mapping.dc-windows-version = Win2016 , Identity Mapping.dc-username = administrator , Identity Mapping.dc-name = dc3.test.corp , Identity Mapping.dc-host = dc3.test.corp/{ip address} , Identity Mapping.server = ise , Identity Mapping.dc-netBIOS = TEST ,
2018-07-25 15:37:52,220 DEBUG [qtp60830820-14 - /][] com.cisco.idc.dc-probe- [ConfigHandler] configuration-server received request
2018-07-25 15:37:57,222 DEBUG [qtp60830820-13 - /][] com.cisco.idc.dc-probe- [ConfigHandler] configuration-server received request "

Re: ISE Passive ID Error with WMI Config or Agent Install

Jason Kunst — Thu, 26 Jul 2018 18:56:24 GMT

Recommend debug thru tac

Re: ISE Passive ID Error with WMI Config or Agent Install

Michael Bartholomæussen — Tue, 18 Sep 2018 06:47:02 GMT

We just moved a domain controller, by demoting and then promoting it afterwards. Now I receive the same error, and the firewall is ok.

Is there are possibility that all the configuration on the domain controller got rolled back when we demoted it, and have to be done again? Shouldn't the config from ISE automatically apply the proper changes on the DC?

Re: ISE Passive ID Error with WMI Config or Agent Install

Jason Kunst — Tue, 18 Sep 2018 13:03:44 GMT

You made changes on the domain controller and expecting Ise to refresh the config changes? No it’s a one time configuration please rerun it

If you need troubleshooting help work thru tac

Re: ISE Passive ID Error with WMI Config or Agent Install

Michael Bartholomæussen — Tue, 18 Sep 2018 13:09:36 GMT

I read that newer version of ISE takes care of the registry settings etc. Then I only need to "Add DCs", type in user and pass for a account with sufficient privileges, and It should work?

Re: ISE Passive ID Error with WMI Config or Agent Install

Jason Kunst — Tue, 18 Sep 2018 14:44:44 GMT

Here is the admin guide information on it:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#id_31516

some other links:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active-Direct.html

Re: ISE Passive ID Error with WMI Config or Agent Install

Timothy Abbott — Tue, 18 Sep 2018 14:46:19 GMT

Yes. You are correct.

Regards,
Tim

Re: ISE Passive ID Error with WMI Config or Agent Install

Michael Bartholomæussen — Thu, 20 Sep 2018 08:09:19 GMT

something messed up ISE. The configuration on 2 other Domain Controllers were exact the same.
I did a "leave" of both nodes, and then joined them again, then it worked.

Re: ISE Passive ID Error with WMI Config or Agent Install

rzergoi — Fri, 10 May 2019 13:53:05 GMT

The password for the joining user must NOT contain special characters; at least no $ sign......for whatever reason.....

Adding and testing of a passiv-ID connection works with the "wrong" password as well, but the provider stays down.

Environment:

ISE 2.4

Domain Controller 2016

Re: ISE Passive ID Error with WMI Config or Agent Install

blooy — Thu, 18 Aug 2022 19:10:02 GMT

Paul, what was solution? Firewall settings are correct and we are using domain admin account, with same error.

Re: ISE Passive ID Error with WMI Config or Agent Install

frasware — Wed, 07 Feb 2024 16:48:54 GMT

Below is message in the Windows Domain Controller system log: plus a Microsoft knowledge base article

The server-side authentication level policy does not allow the user Domain\[domain id] SID (S-1-5-21-3253444385-1653231566-2523731723-1128) from address [ise-server-ip] to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

After adding the registry entry the PassiveID Domain Controllers > Add > test still fails

Re: ISE Passive ID Error with WMI Config or Agent Install

stayd — Fri, 23 Feb 2024 19:44:12 GMT

WMI as protocol for Agent after KB5004442 does not work properly anymore. You have to change it for MS-RPC protocol.