Re: 24403 user authentication against active directory failed

rhuel.phils · ‎03-09-2018

Guys,

We suddenly have issue with our authentication, on live logs we always get 24403 user authentication against active directory failed , BUT as per checking in External Identity Source we able to do Test User and it was SUCCESS. We double check also our AD, no issue.

Anyone have encounter same issue? I have attached some screenshot.

hslai · ‎03-09-2018

Please enable DEBUG on Active Directory to logging level TRACE and check ad_agent.log. If needed, engage Cisco TAC to troubleshoot further.

Craig Hyps · ‎03-11-2018

Sometimes you may get an indication of failure by reviewing the remaining steps in the Authentication Details log (full value not displayed in screenshot), but certainly the debug logs will provide much deeper detail as Hsing-Tsu suggested.

rhuel.phils · ‎03-11-2018

Will there be impact if i change the settings, like reboot of service & etc.? whats the difference between TRACE & WARN?

The ad_agent.log which directory I can find it?

hslai · ‎03-12-2018

With debugging on, ISE produces more log files. It's ok to debug for a short while and it would not affect ISE services in general. TRACE is the most detailed logging in most of ISE components.

To access ad_agent.log, you may do one of the following:

ISE admin web UI > Operations > Troubleshoot > Download logs > [ISE-node-name] > Debug Logs
ISE admin CLI > Issue: show logging application ad_agent.log

rhuel.phils · ‎03-28-2018

Thanks hslai ... I will try that