Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6228
Views
11
Helpful
8
Replies

Cannot connect to AD from Identity Mapping - Windows 2012 R2

Go to solution
nir-r
Level 4
Level 4

‎01-26-2017 11:40 AM

Getting the error below when using PassiveID and trying to add Windows 2012R2 DC:

"The connection was tested on 'isemain.cyber.lab' PassiveID active node.

Connection to 'maindc' failed.

Unable to connect to the machine, please check the DC state"

Test user is member of domain admins group, it seems that it failed to run WMI commands.

PassiveID log file:

2017-01-26 20:19:35,197 INFO   [qtp1343441044-10 - /][] com.cisco.cpm.cda- Ident

ity mapping service applied configuration. Identity Mapping.number-of-domain-con

trollers = 1 , Identity Mapping.server = isemain ,

2017-01-26 20:19:36,838 ERROR  [Thread-18][] com.cisco.cpm.cda- Cannot get Domai

n Controller NetBIOS. Identity Mapping.wmi-class = Win32_NTDomain , Identity Map

ping.exception-message = Access is denied, please check whether the [domain-user

name-password] are correct , Identity Mapping.dc-domainname = test.lab , Identi

ty Mapping.dc-name = maindc , Identity Mapping.dc-host = maindc.test.lab/192.16

8.103.105 , Identity Mapping.server = isemain , Identity Mapping.wmi-property =

DomainName ,

ISE version is 2.1 with patch 2 

1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎01-26-2017 12:23 PM

Have you configured the Domain Controller to allow for this?  Check out this section on Easy Connect in the ISE Admin Guide:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html#task_3580FB80B8394E078393C71E4AA1233B

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎01-26-2017 12:23 PM

Have you configured the Domain Controller to allow for this?  Check out this section on Easy Connect in the ISE Admin Guide:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html#task_3580FB80B8394E078393C71E4AA1233B

0 Helpful

Go to solution
nir-r
Level 4
Level 4
In response to Charlie Moreton

‎01-26-2017 01:08 PM

Hi Charles,

Thanks for your help.

It is working for me until I moved to Windows 2012R2, I used your link and it solved the problem.

I just add "Domain Admins" permission (full control) to below registry keys which related to WMI permissions:

HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

Thanks,

Nir

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to nir-r

‎01-26-2017 01:12 PM

Great!  I'm glad this helped.


Thanks for posting the exact fix.

0 Helpful

Go to solution
dmooregfb
Level 5
Level 5
In response to nir-r

‎03-31-2017 05:04 AM

Nir, working with the same issue during my ISE version 2.2 buildout. Our network admins are asking exactly what do these registry key have to do with the logs. We are also running 2012R2 domain controllers.

Do you know?

Thanks,

Dave

0 Helpful

Go to solution
dmooregfb
Level 5
Level 5
In response to hslai

‎04-03-2017 03:59 AM

hslai, thanks for the link. This is very helpful.

Dave

0 Helpful

Go to solution
InTheJuniverse
Level 1
Level 1

‎05-12-2021 11:12 AM

is there a way to setup email alerting for this event in ISE 2.4

 

Work Centres > Passive ID > Reports > Passive ID

 

Severity : Error

Provider Type: WMI

Domain : xyz

Event: Cannot get Domain Controller NetBIOS

0 Helpful
Customers Also Viewed These Support Documents