https://community.cisco.com/t5/network-access-control/ise-3-cannot-join-in-ad/m-p/5337538#M598489 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1929025">@mmots</a>&nbsp;have you read the following and made the recommended changes?</P> <P class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; margin: 3pt;"><STRONG>Note</STRONG>: Currently, Cisco ISE integration with Microsoft Windows Active Directory 2025 requires configuration changes in the Active Directory Domain Controller. For more information, see <A href="https://bst.cisco.com/bugsearch/bug/CSCwn62873" target="_blank" rel="noopener">CSCwn62873</A>.</P> <P class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; margin: 3pt;"><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html</A></P> <P class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; margin: 3pt;">&nbsp;</P> Fri, 10 Oct 2025 12:48:44 GMT Rob Ingram 2025-10-10T12:48:44Z https://community.cisco.com/t5/network-access-control/ise-3-cannot-join-in-ad/m-p/5337537#M598488 <P>&nbsp;</P><P>Hi, we are testing ISE 3.5. We aren't able to join to AD , on tcp dump we found that the join stop at:&nbsp;</P><P>271 1.817231 10.0.10.10 10.0.10.15 SAMR 166 ChangePasswordUser2 response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED</P><P>We use 2 DC controller with WS2025. Such last try, we add the join user to "domain admin". We try also to grand FULL CONTROL to the user, delete the machine, reset ISE to factory default but the join still fail. Before this packet, there are a lot of other SAMR successfully exchange between ISE and DC. This is the join log (machine existing during this join)&nbsp;</P><P>Error Description: Access is denied</P><P>Support Details...<BR />Error Name: ERROR_ACCESS_DENIED<BR />Error Code: 5</P><P>Detailed Log:<BR />14:37:09 Joining to domain ITTS.mydomain.COM using user ise_join_svc@itts.mydomain.com<BR />14:37:09 Searching for DC in domain ITTS.mydomain.COM<BR />14:37:09 Found DC: Dcmydomain02.itts.mydomain.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name<BR />14:37:09 Checking credentials for user ise_join_svc@itts.mydomain.com<BR />14:37:09 Getting TGT for account ise_join_svc@ITTS.mydomain.COM<BR />14:37:09 TGT for account ise_join_svc@ITTS.mydomain.COM was retrieved successfully<BR />14:37:09 Credentials for user ise_join_svc@itts.mydomain.com were verified<BR />14:37:09 Searching for DC in domain ITTS.mydomain.COM<BR />14:37:09 Found DC: Dcmydomain02.itts.mydomain.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name<BR />14:37:09 Generating account name for ISE machine in ITTS.mydomain.COM<BR />14:37:09 Searching for an existing machine account<BR />14:37:09 Searching object by filter : (&amp;(objectCategory=computer)(servicePrincipalName=host/tsmxsvise01.itts.mydomain.com))<BR />14:37:09 Account: tsmxsvise01 was found<BR />14:37:09 ISE Machine account name is : TSMXSVISE01$<BR />14:37:09 Creating machine account TSMXSVISE01$<BR />14:37:09 Connecting to AD using DC Dcmydomain02.itts.mydomain.com<BR />14:37:09 Connection to Dcmydomain02.itts.mydomain.com established<BR />14:37:09 Opening domain mydomain<BR />14:37:09 Domain mydomain was opened successfully<BR />14:37:09 Machine account: TSMXSVISE01$ already exists , opening account.<BR />14:37:09 Machine account TSMXSVISE01$ was opened successfully<BR />14:37:09 Querying account TSMXSVISE01$ info<BR />14:37:09 Account TSMXSVISE01$ information was retrieved successfully<BR />14:37:09 Enabling machine account : TSMXSVISE01$<BR />14:37:09 Machine account TSMXSVISE01$ was enabled successfully<BR />14:37:09 Setting password for account : TSMXSVISE01$<BR />14:37:09 Password for account: TSMXSVISE01$ was setted successfully<BR />14:37:09 Account TSMXSVISE01$ was created successfully<BR />14:37:09 Verify that machine account: TSMXSVISE01$ is accessable<BR />14:37:09 Searching object by filter : (&amp;(objectClass=computer)(sAMAccountName=TSMXSVISE01$))<BR />14:37:09 Machine account TSMXSVISE01$ is accessable with DN: CN=TSMXSVISE01,OU=ISE_Servers,DC=itts,DC=mydomain,DC=com<BR />14:37:09 Setting attributes to object: CN=TSMXSVISE01,OU=ISE_Servers,DC=itts,DC=mydomain,DC=com<BR />14:37:09 Setting attribute dNSHostName : tsmxsvise01.itts.mydomain.com to object<BR />14:37:09 Attribute dNSHostName : tsmxsvise01.itts.mydomain.com was setted successfully<BR />14:37:09 Setting attribute servicePrincipalName : HOST/tsmxsvise01.itts.mydomain.com to object<BR />14:37:09 Attribute servicePrincipalName : HOST/tsmxsvise01.itts.mydomain.com was setted successfully<BR />14:37:09 Setting attribute servicePrincipalName : HTTP/tsmxsvise01 to object<BR />14:37:09 Attribute servicePrincipalName : HTTP/tsmxsvise01 was setted successfully<BR />14:37:09 Setting attribute operatingSystem : Cisco Identity Services Engine to object<BR />14:37:09 Attribute operatingSystem : Cisco Identity Services Engine was setted successfully<BR />14:37:09 Setting attribute operatingSystemVersion : 3.5.0.527 to object<BR />14:37:09 Attribute operatingSystemVersion : 3.5.0.527 was setted successfully<BR />14:37:09 Setting attribute userAccountControl : 4096 to object<BR />14:37:09 Attribute userAccountControl : 4096 was setted successfully<BR />14:37:09 Setting attribute msDS-SupportedEncryptionTypes : 28 to object<BR />14:37:09 Attribute msDS-SupportedEncryptionTypes : 28 was setted successfully<BR />14:37:09 Attributes was setted successfully</P><P>&nbsp;</P> Fri, 10 Oct 2025 12:40:50 GMT https://community.cisco.com/t5/network-access-control/ise-3-cannot-join-in-ad/m-p/5337537#M598488 mmots 2025-10-10T12:40:50Z https://community.cisco.com/t5/network-access-control/ise-3-cannot-join-in-ad/m-p/5337538#M598489 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1929025">@mmots</a>&nbsp;have you read the following and made the recommended changes?</P> <P class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; margin: 3pt;"><STRONG>Note</STRONG>: Currently, Cisco ISE integration with Microsoft Windows Active Directory 2025 requires configuration changes in the Active Directory Domain Controller. For more information, see <A href="https://bst.cisco.com/bugsearch/bug/CSCwn62873" target="_blank" rel="noopener">CSCwn62873</A>.</P> <P class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; margin: 3pt;"><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html</A></P> <P class="pChart_bodyCMT" style="font-style: normal; font-variant: normal; font-weight: normal; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; margin: 3pt;">&nbsp;</P> Fri, 10 Oct 2025 12:48:44 GMT https://community.cisco.com/t5/network-access-control/ise-3-cannot-join-in-ad/m-p/5337538#M598489 Rob Ingram 2025-10-10T12:48:44Z https://community.cisco.com/t5/network-access-control/ise-3-cannot-join-in-ad/m-p/5337545#M598491 <P>Hi, many thanks. We forgotten to change this:&nbsp;&nbsp;<SPAN>Under the "Options" section, choose "Allow all change password RPC methods."</SPAN></P> Fri, 10 Oct 2025 13:12:38 GMT https://community.cisco.com/t5/network-access-control/ise-3-cannot-join-in-ad/m-p/5337545#M598491 mmots 2025-10-10T13:12:38Z