topic can't join AD from ISE in Network Access Control

can't join AD from ISE

andrea-florio — Fri, 31 May 2024 09:48:12 GMT

Trying to join AD but we get this:

Err

or Description:

Support Details...
Error Name: LW_ERROR_LDAP_CONSTRAINT_VIOLATION
Error Code: 40315

Detailed Log:

Error Description :
Cannot Set Attribute DNSHostName , Active Directory Returned Ldap Constraint Error While Trying To Set Attribute

Error Resolution :
Please Check For Sufficient Permissions To Create User Object , If The User Has The Sufficient Permissions Please Try To Join Again.

Join Steps :
09:36:49 Joining To Domain EU.xxxxx.COM Using User Svc-mi-Infraservices@xxxxx.com
09:36:49 Searching For DC In Domain EU.xxxxx.COM
09:36:53 Found DC: xxxx.eu.xxxxx.com , Client Site Is xxxx , Dc Site Is xxxxx
09:36:53 Checking Credentials For User Svc-mi-Infraservices@xxxxx.com
09:36:53 Getting TGT For Account Svc-mi-Infraservices@xxxxx.COM
09:36:53 TGT For Account Svc-mi-Infraservices@xxxxx.COM Was Retrieved Successfully
09:36:53 Credentials For User Svc-mi-Infraservices@xxxxx.com Were Verified
09:36:53 Searching For DC In Domain EU.xxxxx.COM
09:36:56 Found DC: EU-xxxxx.eu.xxxxx.com , Client Site Is xxxxx , Dc Site Is xxxxx
09:36:56 Generating Account Name For ISE Machine In EU.xxxxx.COM
09:36:56 Searching For An Existing Machine Account
09:36:56 Searching Object By Filter : (&(objectCategory=computer)(servicePrincipalName=host/my-cisco-ise01.eu.xxxxx.com))
09:36:56 Account: my-cisco-ise01 Was Not Found
09:36:56 Searching For An Existing Machine Account
09:36:56 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=xxxxx-0GJRLDB$))
09:36:56 Account: xxxxx-0GJRLDB$ Was Found
09:36:56 ISE Machine Account Name Is : xxxxx-0GJRLDB$
09:36:56 Creating Machine Account xxxxx-0GJRLDB$
09:36:56 Connecting To AD Using DC EU-xxxxx.eu.xxxxx.com
09:36:56 Connection To EU-xxxxx.eu.xxxxx.com Established
09:36:57 Opening Domain HM-EU
09:36:57 Domain HM-EU Was Opened Successfully
09:36:57 Machine Account: xxxxx-0GJRLDB$ Already Exists , Opening Account.
09:36:57 Machine Account xxxxx-0GJRLDB$ Was Opened Successfully
09:36:57 Querying Account xxxxx-0GJRLDB$ Info
09:36:57 Account xxxxx-0GJRLDB$ Information Was Retrieved Successfully
09:36:57 Enabling Machine Account : xxxxx-0GJRLDB$
09:36:57 Machine Account xxxxx-0GJRLDB$ Was Enabled Successfully
09:36:57 Setting Password For Account : xxxxx-0GJRLDB$
09:36:57 Password For Account: xxxxx-0GJRLDB$ Was Setted Successfully
09:36:57 Account xxxxx-0GJRLDB$ Was Created Successfully
09:36:57 Verify That Machine Account: xxxxx-0GJRLDB$ Is Accessable
09:36:57 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=xxxxx-0GJRLDB$))
09:36:57 Machine Account xxxxx-0GJRLDB$ Is Accessable With DN: CN=xxxxx-0GJRLDB,CN=Computers,DC=eu,DC=xxxxx,DC=com
09:36:57 Setting Attributes To Object: CN=xxxxx-0GJRLDB,CN=Computers,DC=eu,DC=xxxxx,DC=com
09:36:57 Setting Attribute DNSHostName : my-cisco-ise01.eu.xxxxx.com To Object
09:36:57 Cannot Set Attribute DNSHostName , Active Directory Returned Ldap Constraint Error While Trying To Set Attribute

any idea what's wrong?

Re: can't join AD from ISE

Torbjørn — Fri, 31 May 2024 10:23:04 GMT

It seems that the user account you are joining the ISE to AD with is unable to edit the machine object.

Note that the user you are adding ISE to AD with is only used during the process of joining. You can hence likely use your regular "admin" credentials for this instead of using a limited permissions service account.

Re: can't join AD from ISE

MHM Cisco World — Fri, 31 May 2024 14:24:02 GMT

https://www.beyondtrust.com/docs/ad-bridge/how-to/error-codes/lw-error-ldap-constraint-violation.htm

check above

MHM

Re: can't join AD from ISE

balaji.bandi — Sat, 01 Jun 2024 07:11:45 GMT

Are you admin of LDAP - if so suggest to create a Service account which has right to join ISE in to Domain.

Second check any already added Entries of ISE - If so delete and try again.

Cannot Set Attribute DNSHostName - check also is the DNS Entry for the ISE is correct (verify)

Re: can't join AD from ISE

Jonny Bacoz — Sat, 01 Jun 2024 14:02:47 GMT

The error code 40315, known as "LW_ERROR_LDAP_CONSTRAINT_VIOLATION," signifies an issue encountered while configuring the DNSHostName attribute for the machine account in Active Directory. This problem usually arises due to insufficient permissions granted to the user account responsible for the operation or due to limitations within the AD schema. To resolve this, ensure that the user possesses the required permissions to create and modify computer objects within the domain. Additionally, verify that the value assigned to the DNSHostName attribute adheres to the AD schema requirements and that no policies or constraints are impeding the update.