cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1149
Views
1
Helpful
5
Replies
rhuel.phils
Beginner

24403 user authentication against active directory failed

Guys,

We suddenly have issue with our authentication, on live logs we always get 24403 user authentication against active directory failed , BUT as per checking in External Identity Source we able to do Test User and it was SUCCESS. We double check also our AD, no issue.

Anyone have encounter same issue? I have attached some screenshot.

5 REPLIES 5
hslai
Cisco Employee

Please enable DEBUG on Active Directory to logging level TRACE and check ad_agent.log. If needed, engage Cisco TAC to troubleshoot further.

Sometimes you may get an indication of failure by reviewing the remaining steps in the Authentication Details log (full value not displayed in screenshot), but certainly the debug logs will provide much deeper detail as Hsing-Tsu suggested.

Will there be impact if i change the settings, like reboot of service & etc.? whats the difference between TRACE & WARN?

The ad_agent.log which directory I can find it?

With debugging on, ISE produces more log files. It's ok to debug for a short while and it would not affect ISE services in general. TRACE is the most detailed logging in most of ISE components.

To access ad_agent.log, you may do one of the following:

  1. ISE admin web UI > Operations > Troubleshoot > Download logs > [ISE-node-name] > Debug Logs
  2. ISE admin CLI > Issue: show logging application ad_agent.log

Thanks hslai ...  I will try that

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube