Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
3
Replies

ISE-PIC with AD

Go to solution
fcaceres
Level 1
Level 1

‎03-27-2023 08:38 AM

Hi, 

I trying to integrate ISE-PIC with AD WIN Server2019, when configure PassiveID get the next error: 

fcaceres_0-1679931313047.png

The ad_agent.log get some error:

 

023-03-27 10:07:37,820 VERBOSE,139833330628352,LocatorLookup(0x7f2d1400fd90): dc=WIN-8UT6UH26CG5.vivion.local, 192.168.100.227,netlogon/service_locator/service_locator.c:318
2023-03-27 10:07:37,821 VERBOSE,139833691318016,SMBKrb5SetDefaultCachePath: path=MEMORY:139831585856440,lwio/server/smbcommon/smbkrb5.c:102
2023-03-27 10:07:37,821 VERBOSE,139833691318016,SMBGSSContextBuild: server = WIN-8UT6UH26CG5.vivion.local,lwio/server/smbcommon/smbkrb5.c:200
2023-03-27 10:07:37,821 VERBOSE,139833691318016,SMBGSSContextBuild: creds type = 2,lwio/server/smbcommon/smbkrb5.c:211
2023-03-27 10:07:37,821 VERBOSE,139833691318016,NtlmClientAcquireCredentialsHandle: principal=Administrador@VIVION.LOCAL, package=NTLM,lsass/client/ntlm/acquirecreds.c:69
2023-03-27 10:07:37,821 VERBOSE,139833691318016,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103
2023-03-27 10:07:37,821 VERBOSE,139833691318016,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299
2023-03-27 10:07:37,821 VERBOSE,139833691318016,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84
2023-03-27 10:07:37,821 VERBOSE,139833691318016,SMBGSSContextNegotiate: state = 0,lwio/server/smbcommon/smbkrb5.c:460
2023-03-27 10:07:37,822 VERBOSE,139833691318016,LocatorLookup(0x7f2d200056f0): dc=WIN-8UT6UH26CG5.vivion.local, 192.168.100.227,netlogon/service_locator/service_locator.c:318
2023-03-27 10:07:37,823 VERBOSE,139833691318016,LocatorLookup(0x7f2d2000a020): dc=WIN-8UT6UH26CG5.vivion.local, 192.168.100.227,netlogon/service_locator/service_locator.c:318
2023-03-27 10:07:37,824 VERBOSE,139833691318016,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/interop/gssntlm/gssntlm.c:906
2023-03-27 10:07:37,825 VERBOSE,139833699710720,SMBKrb5SetDefaultCachePath: path=MEMORY:139831585856440,lwio/server/smbcommon/smbkrb5.c:102

 

 

I used admin user..

 

What can cause de problem? 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
Divya Jain
Cisco Employee
Cisco Employee

‎04-03-2023 04:21 AM

Hi,

Based on the error message provided, it seems that the issue is related to the credentials used to authenticate with the AD server. The error message "Error code: 40506 (symbol: LW_ERROR_NO_CRED)" indicates that the credentials are not valid or not recognized by the AD server.

 

To resolve this issue, you can try the following steps:

 

1. Verify that the credentials used to authenticate with the AD server are correct and have sufficient privileges to access the required resources.

( dc=WIN-8UT6UH26CG5.vivion.local )

 

2. Check if there are any firewall or network connectivity issues between the ISE-PIC and the AD server. Ensure that the required ports are open and the network connectivity is stable.

 

3. Check if the AD server is configured to allow authentication from the ISE-PIC. Ensure that the AD server is configured to allow authentication from the ISE-PIC and the required permissions are granted.

 

4. Check if the ISE-PIC is configured correctly to communicate with the AD server. Ensure that the ISE-PIC is configured with the correct domain name, IP address, and other required settings.

 

If the issue persists, you can try enabling debug logging on the ISE-PIC and the AD server to get more detailed information about the error. You can also contact Cisco technical support for further assistance.

 

-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------
 

 

Regards,

Divya Jain

0 Helpful

Go to solution
fcaceres
Level 1
Level 1
In response to Divya Jain

‎04-03-2023 06:42 AM

Hello Diva, 

 

"3. Check if the AD server is configured to allow authentication from the ISE-PIC. Ensure that the AD server is configured to allow authentication from the ISE-PIC and the required permissions are granted."

Is there any document regarding this? all other point are fine.

Regards.

 

0 Helpful
Customers Also Viewed These Support Documents