Solved: Re: Active Directory domain join fails after upgrade to 2.7

paul_j_teeter · ‎12-08-2022

I am attempting an in-place upgrade of ISE 2.3 to version 2.7 on a virtual instance. The upgrade itself seems to have completed without issue. But the post-upgrade process is not cooperating. Specifically fixing the domain join to Active Directory.

Initially, navigating in the web admin UI to Administration > Identity Management > External Identity Sources > Active Directory > 'join point' resulted in a *Loading Page* alert that never finished loading even after waiting for quite some time.

I tried removing the existing computer entry in AD...same result on ISE web UI. I then tried deleting the join point via the Administration > Identity Management > External Identity Sources > Active Directory web UI screen only to find that referential integrity prevented that action. I then backed out all mention of the existing join point (I have a config backup from before the upgrade started) making sure to screen shot every policy, element, entry, etc. that referenced the join point. I was then able to delete the existing join point.

Efforts to create a new, replacement join point in the web UI have all resulted in failure with a variation of the *Loading Page* alert hanging for an inordinate amount of time. This led me to explore the REST APIs which have proved a bit more successful. I was able to create the join point successfully via REST API (Python + requests module).

Editing this new join point in the web UI still results in the same unending *Loading Page* issue. Attempting to join the domain via REST API results in an HTTP 500 with a mildly unclear error -

"title": "Operation [join] failed [java.lang.Exception: Falied to send http get request ",
"type": "ERROR",
"code": "CRUD operation exception"

I even tried to joinAllNodes via REST API and essentially the same issue results.

I have verified that other clients and servers can bind to the same AD domain. I have checked and re-synchronized the time on the ISE instance, comparing it to the Windows Domain Controller.

I also find all tests run by 'Active Directory Diagnostic Tool' (under Active Directory > Node View) on the ISE instance complete successfully except for 2 - 1. Kerberos check SASL connectivity to AD, 2. Kerberos test obtaining join point TGT.

Both of those failures list the following error detail - 'Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos related AD configuration'.

Can anyone help me understand why the domain join continues to fails? How else can I debug the behavior? Any thoughts on how to fix this issue?

Thankfully this is a light use ISE server and is mainly used for lab testing. But it would be ideal to avoid having to rebuild it from scratch.

Thanks for your help.

Milos_Jovanovic · ‎12-08-2022

Hi @paul_j_teeter,

I did multiple upgrades from various versions to various newer releases, and hardly ever had any issue with AD integration. However, I did faced similar behavior where I was unable to navigate to AD in ISE, and this was browser issue. Actually, it was not even a browser issue, but it was an add-on issue. I have AdBlock installed, and for some reason, it messes up this page specifically (and no other page apparently, at least in my case). It happened that I had it in both Firefox and Chrome, while IE had some known compatibility issue, so it was hard for me to pinpoint the root cause for such behavior.

Go and try with different browsers (including some other that you don't have installed currently), to try to eliminate browser as a root cause. If this page (one where you would actually see if AD is joined or not, and to which DC it is connected) is the only one affected (and based on what you've described, it looks like that to mee), I would definitelly suspect your PC specifically before ISE itself.

Kind regards,

Milos

View solution in original post

Milos_Jovanovic · ‎12-08-2022

Hi @paul_j_teeter,

I did multiple upgrades from various versions to various newer releases, and hardly ever had any issue with AD integration. However, I did faced similar behavior where I was unable to navigate to AD in ISE, and this was browser issue. Actually, it was not even a browser issue, but it was an add-on issue. I have AdBlock installed, and for some reason, it messes up this page specifically (and no other page apparently, at least in my case). It happened that I had it in both Firefox and Chrome, while IE had some known compatibility issue, so it was hard for me to pinpoint the root cause for such behavior.

Go and try with different browsers (including some other that you don't have installed currently), to try to eliminate browser as a root cause. If this page (one where you would actually see if AD is joined or not, and to which DC it is connected) is the only one affected (and based on what you've described, it looks like that to mee), I would definitelly suspect your PC specifically before ISE itself.

Kind regards,

Milos

paul_j_teeter · ‎12-09-2022

@Milos_Jovanovic so simple yet so genius. I was just about to build a new, replacement VM but figured I'd check the forum once more. I was using macOS Firefox. Just now I tried using macOS Chrome. The domain join worked!!! Thank you so much for the suggestion. I don't think I would have hit on that simple solution before starting over today. Saved me hours of work. Thanks a lot!

paul_j_teeter · ‎12-09-2022

On macOS 13.0, build 22A380:

Chrome - Version 108.0.5359.98 worked
Firefox - Version 107.0.1 (64-bit) was failing