Showing results for 
Search instead for 
Did you mean: 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE 2.2+ Single Click Sponsor - Doesn't work for all users

I decided to post something that may be useful to others looking at the Single Click Sponsor Portal Functionality in ISE 2.2+.  I had a weird issue in our environment where some sponsors were able to use the tokenized single-click link from their emails, but other sponsors were being prompted to authenticate to the sponsor portal, even though a token was present in the approve/deny links.

If you have ISE joined to Active Directory in a multi-domain forest, then you have to make sure that the "mail" attribute is globally unique across the entire forest.  It appears that if there are multiple accounts using the same email address on the mail attribute, ISE isn't able to uniquely identify the user as a member of a Sponsor Group and thus requires credentials to log into the sponsor portal.

A quick way to check if the particular user's email address is being used on more than one account, is with this Powershell command:

get-aduser -LDAPFilter "(" -server

Obviously, replace the blue items in the command above with your pertinent information.  The  needs to be in your root domain, and port number (3268) is required, as you are need to search the global catalog so that all domains in the forest are searched for that attribute.  If more than one account is returned, then there's your problem.  You will need to either delete those other accounts, or change the mail attribute on them so that the email address is uniquely assigned to the sponsor's account.

The Active Directory schema does not enforce uniqueness on the mail attribute, but is generally assumed to be unique.  

I hope this helps someone in the future.