cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

293
Views
2
Helpful
5
Replies
Highlighted
VIP Advocate

Referential Integrity error - the most useless error message of all times

I have spent over an hour and I still cannot find out why I cannot delete an AD join point.  Yes I know, *somewhere* in that forest of menu options is some little thing that is preventing me.  But the application knows there is a problem but it tortures the user unnecessarily.

Can someone please give me an SQL command or something to find out what dependencies my AD Join Point has, to put me out of my misery?

Everyone's tags (4)
5 REPLIES 5
Cisco Employee

Re: Referential Integrity error - the most useless error message of all times

If prior to 2.2, you might be hitting CSCva73322. Please engage Cisco TAC on this.

VIP Advocate

Re: Referential Integrity error - the most useless error message of all times

this is 2.2 patch 2

I had the TAC engaged yesterday for another issue and we poked around in Oracle a bit.  If I knew my way around the schema I'd be running an SQL query to find the dependencies.

In the longer term, having more expressive error messages would be a great thing.

VIP Engager

Re: Referential Integrity error - the most useless error message of all times

I am assuming you checked all the usual spots:

  1. Is it reference in an External Identity Source Sequences?
  2. Is it referenced directly in any RADIUS or Device Administration Policy Sets?
  3. Is it referenced in the Admin Access configuration (i.e. you pointed the ISE GUI at it for AD auth)?

Those are the only spots off the top of my head where it could be referenced.  I am sure I am missing some more. 

VIP Advocate

Re: Referential Integrity error - the most useless error message of all times

Thanks - I have checked those at least three times over - I even clicked into settings I have never touched before, just in case I missed something.  The back story is that I had a Join Point called CORP, and then later I added a second join point called RES.  RES has AD trust relationship to many other domains (including CORP).  So I changed all my config to use RES instead - and this works like a charm.  I deleted all the CORP Groups that I had added, and I also managed to Leave CORP domain.  I just cannot delete the Join Point.

So far we use AD only for Admin GUI, Sponsor Portal admin groups and TACACS Policy Sets.

Cisco Employee

Re: Referential Integrity error - the most useless error message of all times

CSCuc55997 is one such enhancement.

AD can be used also in the sponsor group policy, client provisioning and posture policies.