topic Re: Lab deployment - Can't join ISE to Windows AD in Network Access Control

Lab deployment - Can't join ISE to Windows AD

dpgator1975 — Sat, 30 Nov 2024 17:35:46 GMT

I am trying to do some lab testing, and have deployed ISE and Windows AD. They are Proxmox guest VMs, configured on the same subnet and on the same host. Server is 2025 version, ISE is 3.4.0.608. The user I am authenticating with is a domain and enterprise admin in AD. ISE is using the DC for NTP, which is using a NIST server for NTP.

Relevant logs I know of and have captured. (identifying info obfuscated with "x")

"show ntp" -

Configured NTP Servers:
dc1.xxx.xxx
Reference ID : 0A0A0A0A (DC1.xxx.xxx)
Stratum : 3
Ref time (UTC) : Sat Nov 30 17:30:33 2024
System time : 0.000000462 seconds slow of NTP time
Last offset : +0.000491446 seconds
RMS offset : 0.007088298 seconds
Frequency : 41.210 ppm fast
Residual freq : +0.756 ppm
Skew : 9.433 ppm
Root delay : 0.107027695 seconds
Root dispersion : 0.077161357 seconds
Update interval : 65.0 seconds
Leap status : Normal

MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* DC1.xxxx.xxx 2 6 377 32 +286us[ +777us] +/- 142ms

"show clock" matches the clock on the DC to the second.

From the GUI upon failing to join AD

Error Description: ASN.1 failed call to system time library

Support Details...
Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
Error Code: 41701

From ISE ad_agent.log;

2024-11-30 09:13:13,532 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::isBestDC: dc=[DC1.xxxx.xxx], address=[10.10.10.10] was not found in score map,,lwadvapi/threaded/dc_pri_list.cpp:449
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::getDCScoreByAddress: dc=[DC1.xxxx.xxx], address=[10.10.10.10] not found,,lwadvapi/threaded/dc_pri_list.cpp:467
2024-11-30 09:13:13,570 WARNING,140372674062080,[LwKrb5GetTgtImpl ../../lwadvapi/threaded/krbtgt.c:329] KRB5 Error code: 1859794432 (Message: ASN.1 failed call to system time library),,lwadvapi/threaded/lwkrb5.c:892
2024-11-30 09:13:14,660 ERROR ,140372644554496,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:369
2024-11-30 09:13:14,726 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226

Wireshark packet capture notable entries

290 09:23:33.103832 10.10.10.10 10.10.10.6 KRB5 299 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

292 09:23:33.107427 10.10.10.10 10.10.10.6 KRB5 130 KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG

Other packets in the conversation look normal - query responses contain required records, etc.

Security Event Logs on the domain controller show two events for Kerberos Authentication Service that appear normal/successful - the "Response ticket hash" is shown.

Really not sure where to go here. This is a lab and while I have licensed ISE at work this is a trial install so no TAC option I don't believe.

Re: Lab deployment - Can't join ISE to Windows AD

Mark Elsen — Sun, 01 Dec 2024 11:13:55 GMT

- Checkout the Accepted Answer from https://learn.microsoft.com/en-us/answers/questions/1339208/how-to-solve-krb-err-response-too-big-error-at-ser
Related: https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/group-policy-add-maxtokensize-registry-entry

Re: Lab deployment - Can't join ISE to Windows AD

FireflyNemo — Sun, 08 Dec 2024 17:24:18 GMT

Hi,

I think the problem is this

Server’s Kerberos authentication fails with Windows 2025 Canary beta public release as KRB_KDC_REP KerberosTime date over year 2038:
21000914024805Z <<< September 14th 2100

I think we need to wait for a patch.

Re: Lab deployment - Can't join ISE to Windows AD

dpgator1975 — Mon, 09 Dec 2024 19:35:40 GMT

I'm not using a beta, but I have considered just wiping and starting over with Server 2022 or even 2019 just to rule out the bleeding edge factor

Re: Lab deployment - Can't join ISE to Windows AD

dpgator1975 — Mon, 09 Dec 2024 19:35:54 GMT

I tried this before. No luck.

Re: Lab deployment - Can't join ISE to Windows AD

FireflyNemo — Tue, 10 Dec 2024 09:46:22 GMT

I have the same trouble on final release version Windows 2025.

Windows 2025 Domain Controller - the same error - Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT

Windows 2022 Domain Controller - work

This is trouble with ticket live time shift in Kerberos .

Re: Lab deployment - Can't join ISE to Windows AD

FireflyNemo — Thu, 09 Jan 2025 09:07:05 GMT

https://bst.cisco.com/quickview/bug/CSCwn62873

Re: Lab deployment - Can't join ISE to Windows AD

twadolow — Fri, 10 Jan 2025 22:34:01 GMT

Hello, @FireflyNemo thank you for attaching the bug to the discussion.
I am a TAC AAA Engineer who submitted the defect, as I was researching and doing lab repro regarding this.
Also I wanted to mention very good log analysis done by @dpgator1975.

Re: Lab deployment - Can't join ISE to Windows AD

Network Diver — Sun, 23 Feb 2025 12:00:26 GMT

We ran into same issue. We're running ISE 3.1.0.518 patch 9 and our Windows team just upgraded the Windows domain controller to 2025. Bug CSCwn62873 says to downgrade to Windows 2022.

Also affected is Firewall Management Center Version 7.4.2.1 (build 30)

Is there an ETA for a bugfix?

Re: Lab deployment - Can't join ISE to Windows AD

th3r1dd1ck — Fri, 28 Feb 2025 04:55:33 GMT

Is there a timeline to Patch ISE with a fix? We are in production and cannot downgrade.

Re: Lab deployment - Can't join ISE to Windows AD

Network Diver — Fri, 28 Feb 2025 05:33:53 GMT

Don't know an ETA either, but our workaround was to promote two new domain controllers running on Windows 2022 and then set those as preferred using advanced tuning settings:

Here is the step by step guide on how to point the ISE server to only specific DCs in the AD domain:
Navigate to:
1. External-ID-Stores -> Active Directory -> Advanced Tools -> Advanced Tuning
2.Select the ISE node you want to change
3.The 'Name' field gets the specific REGISTRY string given below:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\<Domain Name>
Example: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\cisco.com
4. The 'Value' field is where you indicate the DC, or list of DCs separated by a space
<The DC's hostname>
Example: dc1.cisco.com dc2.cisco.com
5.Update the value and after that restart the AD connector.

https://community.cisco.com/t5/network-access-control/how-to-choose-the-priority-for-a-specific-ad-server-to-be-the/td-p/4423367

Also other Non-Windows systems using Active Directory are affected:

Cisco Firewall Management Center
Netapp Cluster

[OUTGOING SUSPECTED SPAM] - Re: Lab deployment - Can't join ISE to Windows AD

th3r1dd1ck — Fri, 28 Feb 2025 12:43:08 GMT

There is no way to join a new DC to an AD that is set at 2025 functional level and there is now way to back it down from 2025 to 2016 functional level.

Re: [OUTGOING SUSPECTED SPAM] - Re: Lab deployment - Can't join ISE to

Network Diver — Fri, 28 Feb 2025 13:18:27 GMT

Luckily our Windows admin noticed that he can't login with AnyConnect VPN anymore before he could continue to set the domain controller to functional level for 2025. And I fear to install any untested Cisco SOS hotifixes because usually they break something else.

Re: [OUTGOING SUSPECTED SPAM] - Re: Lab deployment - Can't join ISE to

JanWillems — Sat, 01 Mar 2025 13:15:32 GMT

We are also affected by this bug, unfortunately there is no way back from this functional level 2025: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

Re: Lab deployment - Can't join ISE to Windows AD

Mahesh Rena — Fri, 07 Mar 2025 06:31:23 GMT

Hi , im using WIN2022 DC still getting same error

Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
Error Code: 41701

Any leads

Re: Lab deployment - Can't join ISE to Windows AD

Network Diver — Fri, 07 Mar 2025 07:45:17 GMT

This combination works in our environment:

Cisco ISE 3.1.0.518, patch 9
Windows 2022 DC + 2025-02 cumulative update 21H2

Re: Lab deployment - Can't join ISE to Windows AD

jaydoer1 — Mon, 17 Mar 2025 15:26:41 GMT

Upgrade to Windows 2025 active directory has caused issues to our ISE environment as well. Have a TAC case opened

Re: Lab deployment - Can't join ISE to Windows AD

Network Diver — Wed, 23 Apr 2025 12:42:06 GMT

Reply from TAC:

Currently, the only workaround for the bug CSCwn62873 is to install a hot patch on the deployment. However, this is only available for ISE version 3.3 patch 4 and 3.2 patch 7.
It is expected that this bug will be fixed in the following versions of ISE: 3.4 patch 2, 3.3 patch 6 and 3.2 patch 8. Unfortunately, I don't have any information regarding an estimated date for a fix for this bug for ISE 3.1.

That being said, you can integrate ISE with Active Directory 2022, which is the latest version of AD that is compatible with ISE 3.1, or upgrade ISE to a newer version that already has a hot patch that can be applied.

You can check more detailed information regarding ISE compatibility with AD in this link:https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html

Re: Lab deployment - Can't join ISE to Windows AD

Network Diver — Wed, 30 Apr 2025 05:52:06 GMT

FYI: Same Windows 2025 issue also affects AD integration of other non-Windows systems:

Red Hat Linux: https://access.redhat.com/solutions/7100465
Netapp Filers: https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-Issues/CONTAP-347583
Cisco Firewall Management Center

From Netapp support I've heard that a fix from Microsoft may come with the May patch day.

Re: Lab deployment - Can't join ISE to Windows AD

Shorty — Sat, 12 Jul 2025 04:15:22 GMT

This is working on Cisco ISE 3.4 Patch 2 and Windows Server 2025.

See this Bug ID and the available workarounds: CSCwn62873 : Bug Search Tool

You need to make a change to Group Policy for your Domain Controllers to get it working. So when you're on 3.4 Patch 2 with the appropriate Group Policy updates, it works immediately.