Re: Cisco bug ID CSCvv76083 ISE account password update failed when re

adamscottmaster2013 · ‎06-18-2025

I have the following ISE 3.3 patch-4 cluster:

node1: PPAN/SMnT

node2: SSAN/PMnT,

node3: PSN

node4: PSN

All nodes are joined an Active Directory, Windows 2016 servers, called CISCOCORP using the same domain admins account and everything is working fine. Furthermore, node1 through node4 are joined specifically to the same Active Directory domain controller. However, I am getting these messages for node2 and node4 but NOT node1 and node3:

AD: ISE account password update failed. Domain Name=CISCOCORP Server=node2

AD: ISE account password update failed. Domain Name=CISCOCORP Server=node4

I found this bug ID: CSCvv76083 : Bug Search Tool and it stated:

Only specific to 2016 servers: changing the registry value from non-zero to blank gives access to all and thus allows ISE to update its machine account password.

From MS: non-zero which is the default for this registry means allow everyone and blank means admin only.

Yes, this registry key on the AD server is non-zero but the statement seems from MS seems contradictory (read above). The non-zero means allow EVERYONE. When I read EVERYONE, it means everyone, including admin, right?

The other question I have is: what is the production impact of the ISE account password update failed? The bug ID does not say anything about the potential impact. I ask Cisco TAC engineer about this and apparently the engineer assigned to this case does not seem to know either.

Thoughts?

Arne Bier · ‎06-18-2025

Interesting. Not sure about that. I'd have to see what happens when I update the password of the account I used during the AD Join - but I suspect nothing should break.

When you join your ISE nodes to the AD, did you check the box "Store Credentials" ? I never click that - when I researched what that was for, I think it had something to do with ISE-PIC.

adamscottmaster2013 · ‎06-18-2025

Hi @Arne Bier: You said "Interesting. Not sure about that. I'd have to see what happens when I update the password of the account I used during the AD Join - but I suspect nothing should break."

That's correct. I also tested it and confirmed by Cisco TAC. This is what the bug ID stated:

When we join ISE to the AD domain. ISE will create a machine account on AD. ISE by default will change the password for the machine account every 15 days. ISE needs to make a remote calls to the Security Accounts Manager (SAM) in order to update its machine account password, the issue happens when we have an ISE integrated with AD windows server 2016 active directory as this’s restricted, By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows.

This account is a machine account and auto-created, and it changes the pw every 15 days. I confirmed this with the AD administrator but he doesn't know what else can break if the pw update failed.

P.S. How are you doing these days?

Arne Bier · ‎06-18-2025

Doing well thanks

I never got deep enough into the Windows Server trenches to know what's going on. So I'll stop here with my theories. I had no idea that these passwords are rotated every 15 days. We also use Server 2016 in the lab and it's been there for years. Never had such an issue with any of my ISE installs. But then again, we don't change any of the registry settings.

On the Domain Controller's "User and Computers" I noticed the settings for the AD Account I used to join ISE - is this what you have too?

adamscottmaster2013 · ‎06-18-2025

In my environment, that box is not checked and the password has to be changed annually. However, I don't think that is the issue though. The password itself is not important but the "machine" password (one that got generated when the ISE is joined AD according to the article), it changes every 15 days. Think of it like an IPSec phase I with 15 days re-keying.

Arne Bier · ‎06-18-2025

oh right I get it now - the machine account has its own password (which we never see or need to set - ISE does that under the hood, and that mechanism does not rely on the admin account that was used during the AD Join process). Makes sense now - thanks for clearing that up..

adamscottmaster2013 · ‎06-23-2025

Hi @Arne Bier: I think I finally get the correct TAC support, and here it goes:

- By default, the maximum days that machine password needs to be updated is set to 30 days on the Active Directory server. There is a registry key for this, and the default is 30 days,

- Cisco ISE, by design, will attempt to update the machine password every 15 days,

- If the remote SAM is set to blank on the AD server, ALL clients, including Cisco ISE, can update its machine password. If this value is non-blank, clients (including Cisco ISE) can NOT update the machine password, UNLESS it is put in the exclusion list in that registry on the AD servers.

By not being able to update the machine password, Cisco ISE might leave AD and you have to manually join AD again. That's why Cisco recommends that you must allow Cisco ISE to be able to update machine password in AD.

Btw, after I complained, Cisco has removed this line from the bug ID: From MS: non-zero which is the default for this registry means allow everyone and blank means admin only.

You look at the bugID, it was last updated on 06/20/2025, LOL...

Hope that help.

SzantaiNorbert · ‎07-02-2025

Hi @adamscottmaster2013
If the issue still persist:
What is the value of that registry? If it points to a SID, you must add the ISE machine accounts to that group.
Or at least, that’s what worked for us.

About the impact: We noticed that we were no longer able to change the AD password through ISE — neither via VPN nor via TACACS+.
Other than that, nothing noticeable.

adamscottmaster2013 · ‎07-03-2025

The Cisco ISE nodes are very "aggressive" with Active Directory. It attempts to do this every 90 minutes if the password failed from ALL nodes.

Cisco bug ID CSCvv76083 ISE account password update failed when remote