topic Re: FMC AD Join test failed in Network Security

FMC AD Join test failed

sherali mamatkarimov — Wed, 03 Jan 2024 05:11:50 GMT

Hello everyone i want to configure identity policy on FMC with Active Directory Kerberos, on guide written The Realm you select must be configured with an AD Join Username and AD Join Password to perform Kerberos captive portal active authentication. but when i testing AD Join there is error. AD Join test failed credintials are same with LDAP Realms, Group and User sync works.

Re: FMC AD Join test failed

MHM Cisco World — Wed, 03 Jan 2024 06:51:49 GMT

System->Integration
then add realm and directory

MHM

Re: FMC AD Join test failed

sherali mamatkarimov — Wed, 03 Jan 2024 09:25:50 GMT

Realm already added, screenshots higher are settings of exsisting realm

Re: FMC AD Join test failed

Marius Gunnerud — Wed, 03 Jan 2024 09:31:33 GMT

Are the AD server and FMC on the same subnet? If not make sure that access rule allows the connection between FMC and AD.

Re: FMC AD Join test failed

MHM Cisco World — Wed, 03 Jan 2024 09:37:17 GMT

Can you from AD ping FMC mgmt IP?

I think it reachability issue

MHM

Re: FMC AD Join test failed

sherali mamatkarimov — Wed, 03 Jan 2024 09:46:49 GMT

No problem with access rule i can load groups and users

Re: FMC AD Join test failed

sherali mamatkarimov — Wed, 03 Jan 2024 09:47:29 GMT

No problem with access rule i can load groups and users

Re: FMC AD Join test failed

MHM Cisco World — Wed, 03 Jan 2024 09:52:43 GMT

The first step of AD joint test is resolved the AD fqdn to IP.

So check this step

MHM

Re: FMC AD Join test failed

Marius Gunnerud — Wed, 03 Jan 2024 11:07:48 GMT

Keep in mind that the username on the Realm Configuration page is not LDAP, it is Kerberos. Be sure that tcp/udp 88 and 464 is permitted.

Other things to consider are from the following output of the 7.2.x administration guide:

AD Join Username and AD Join Password
(Available on the Realm Configuration tab page when you edit a realm.)
For Microsoft Active Directory realms intended for Kerberos captive portal active authentication, the distinguished username and password of any Active Directory user with appropriate rights to create a Domain Computer account in the Active Directory domain.

Keep the following in mind:

DNS must be able to resolve the domain name to an Active Directory domain controller's IP address.

The user you specify must be able to join computers to the Active Directory domain.

The user name must be fully qualified (for example, administrator@mydomain.com, not administrator).

If you choose Kerberos (or HTTP Negotiate, if you want Kerberos as an option) as the Authentication Protocol in an identity rule, the Realm you select must be configured with an AD Join Username and AD Join Password to perform Kerberos captive portal active authentication.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/identity-realms.html#task_F9ED2AF84F604438ACDC2124237DC518

Re: FMC AD Join test failed

sherali mamatkarimov — Thu, 04 Jan 2024 06:36:37 GMT

1. DNS resloving domain name. Pinging domain name from CLI FMC

2. User have super-administrator role

3. Username FQDN

Re: FMC AD Join test failed

sherali mamatkarimov — Thu, 04 Jan 2024 06:40:10 GMT

if i ping AD fqdn from CLI FMC hostname resolving and ping is success

Re: FMC AD Join test failed

dotran — Thu, 02 May 2024 13:59:18 GMT

Were you able to resolve this issue? I have the same problem. I think the last change I made that broke this was to disable some older cipher suite (3DES) on our Windows DC. Not sure it is related but authenticated via Kerberos for Remote Storage doesn't work either. I opened a TAC on that one and they said feature doesn't exist in 7.2.

Re: FMC AD Join test failed

sherali mamatkarimov — Sat, 01 Jun 2024 09:16:29 GMT

haven't resolved yet

Re: FMC AD Join test failed

Yordan1 — Tue, 25 Jun 2024 14:21:12 GMT

still not resolved ?

Re: FMC AD Join test failed

jesper riisbjerg hansen — Thu, 11 Jul 2024 10:59:43 GMT

still not resolved ?

Re: FMC AD Join test failed

Kasper Elsborg — Mon, 21 Jul 2025 16:57:01 GMT

I have the same problem, however it seems like its only the test that fails. I am able to retrieve groups and sync users.

Re: FMC AD Join test failed

Kasper Elsborg — Mon, 21 Jul 2025 16:58:27 GMT

strange after a few tries it actually works.

Re: FMC AD Join test failed

IT VHW — Wed, 17 Dec 2025 05:43:41 GMT

I had the same problem; how did you solve it?

Re: FMC AD Join test failed

Bo J — Mon, 09 Mar 2026 16:18:52 GMT

Check your Active Directory to see if that device has not already joined.