https://community.cisco.com/t5/network-access-control/ise-2-6-patch-3-active-directory-profiler-ntlm-errors-from-dc/m-p/4085075#M560386 Looks like this is cosmetic. The wording threw me off, a coworker pointed out that this is an "Allowed" message. Wed, 13 May 2020 15:51:45 GMT t-roy 2020-05-13T15:51:45Z https://community.cisco.com/t5/network-access-control/ise-2-6-patch-3-active-directory-profiler-ntlm-errors-from-dc/m-p/4085065#M560385 <P>Our deployment has the Active Directory Profiling Configuration enabled, and it appears to be working, I see the AD-* attributes for profiled nodes, but Active Directory is logging some interesting "errors" from our ISE node:</P><PRE>05/12/2020 03:58:05 PM LogName=Microsoft-Windows-NTLM/Operational SourceName=Microsoft-Windows-Security-Netlogon EventCode=8004 EventType=4 Type=Information ComputerName=ad-server.domain.name&nbsp; User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Auditing NTLM OpCode=Info RecordNumber=139156223 Keywords=None Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. Secure Channel name:&nbsp;ISE-SERVER User name:&nbsp;workstatoin@domain.name &nbsp;Domain name:&nbsp;domain.name &nbsp;Workstation name: \\ISE-SERVER &nbsp;Secure Channel type: 2 Audit NTLM authentication requests within the domain&nbsp;domain.name&nbsp;that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options. If you want to allow NTLM authentication requests in the domain domain.name, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled. If you want to allow NTLM authentication requests to specific servers in the domain&nbsp;domain.name, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain&nbsp;domain.name&nbsp;to which clients are allowed to use NTLM authentication.</PRE><P>Is there some configuration on the domain controllers I am missing?&nbsp; I verified the ISE-SERVER is joined to the domain, can fetch groups/users, auth is working as expected</P> Wed, 13 May 2020 15:41:32 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-patch-3-active-directory-profiler-ntlm-errors-from-dc/m-p/4085065#M560385 t-roy 2020-05-13T15:41:32Z https://community.cisco.com/t5/network-access-control/ise-2-6-patch-3-active-directory-profiler-ntlm-errors-from-dc/m-p/4085075#M560386 Looks like this is cosmetic. The wording threw me off, a coworker pointed out that this is an "Allowed" message. Wed, 13 May 2020 15:51:45 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-patch-3-active-directory-profiler-ntlm-errors-from-dc/m-p/4085075#M560386 t-roy 2020-05-13T15:51:45Z