cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1067
Views
0
Helpful
5
Replies

Cisco ISE 2.3p5 - 24711 Domain controller cannot pass request through the trust path to the account domain

pgiouvanellis
Level 1
Level 1

Hello all ,

 

I started to facing the below problem in my deployment .

 

Users that are in specific domain account group cannot be authenticated and get the follow error from endpoint logs:

 

Authentication Details

Source Timestamp2019-05-13 12:23:38.415
Received Timestamp2019-05-13 12:23:38.415
Policy Servernacintpsn4
Event5440 Endpoint abandoned EAP session and started new
Failure Reason24711 Domain controller cannot pass request through the trust path to the account domain
ResolutionCheck there is no trust restrictions (i.e. selective authentication, SID filtering etc.) and no name suffix routing restrictions on the trust path (all trusts) between the join point domain and the domain where user account is located
Root causeDomain controller cannot pass request through the trust path from the join point domain to the domain where user account is located

 

This is not happening to all users some users are authenticated normally .

 

What is the explanation of the failure reason ?

 

Thank you ,

Palaiologos

5 Replies 5

hslai
Cisco Employee
Cisco Employee

This particular message describes an auth issue with an external trust domain. In case you are able to check and verify that the trust relationship(s) in the AD infrastructure has no change and no recent errors, please engage Cisco TAC support to troubleshoot. We would need enable TRACE on ISE AD component(s), repeat the failing use case, and analyze the logs.

the issue is that i can see auth success for some users from the specific domain and failed with the above error from other users in the same domain .

 

We have connected ISE with 3 domain , which have zero trust between them .

 

And the weird is that we get and failed and success authentication , the failed authentication are coming with error : 

 

24711 Domain controller cannot pass request through the trust path to the account domain.

 

Thank you.

Palaiologos

Please engage TAC. Just a wild guess... ISE computer account in AD might not have enough permissions to authenticate the failing users.

I Do not believe is the account since we have success authentications ton the same Domain Controller .

 

Maybe i did not explain well the isuue .

 

We have configured ISE to join for example domain.cisco.com  and successfully joined .

Now we start getting authentication success from users and the same time get failures from other users with error 

24711 Domain controller cannot pass request through the trust path to the account domain to the same controller .

 

Also we have joined ISE to 2 other domain controllers for example domain2.test.com and domain3.test2.com and works normally .

 

The domain controller have zero trust (no two-way , no one-way ) between them .

 

So i believe the setup is ok.

 

Is there anyway to find which Domain Controller the specific auth account hit ...??

 

Thank You,

Palaiologos 

If you would like to check it yourself, then go to Administration > System > Logging > Debug Log Configuration > [Pick an ISE PSN node with least load] > Active Directory. Change this logging level to TRACE. Go to Administration > Identity Management > External Identity Sources > Active Directory > [AD Join Point with the issue], select the ISE node and select [ Test User ]. Enter the credentials of the users with this issue. Once done, download the ad_agent.log file(s) at Operations > Troubleshoot > Download Logs > [ ISE PSN node ] > Debug Logs.

If you need help, please open a TAC case, as I already asked earlier.