Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
0
Helpful
5
Replies

Cisco ISE 2.3p5 - 24711 Domain controller cannot pass request through the trust path to the account domain

pgiouvanellis
Level 1
Level 1

‎05-13-2019 02:38 AM

Hello all ,

 

I started to facing the below problem in my deployment .

 

Users that are in specific domain account group cannot be authenticated and get the follow error from endpoint logs:

 

Authentication Details

Source Timestamp2019-05-13 12:23:38.415
Received Timestamp2019-05-13 12:23:38.415
Policy Servernacintpsn4
Event5440 Endpoint abandoned EAP session and started new
Failure Reason24711 Domain controller cannot pass request through the trust path to the account domain
ResolutionCheck there is no trust restrictions (i.e. selective authentication, SID filtering etc.) and no name suffix routing restrictions on the trust path (all trusts) between the join point domain and the domain where user account is located
Root causeDomain controller cannot pass request through the trust path from the join point domain to the domain where user account is located

 

This is not happening to all users some users are authenticated normally .

 

What is the explanation of the failure reason ?

 

Thank you ,

Palaiologos

0 Helpful
5 Replies 5

hslai
Cisco Employee
Cisco Employee

‎05-13-2019 08:47 AM

This particular message describes an auth issue with an external trust domain. In case you are able to check and verify that the trust relationship(s) in the AD infrastructure has no change and no recent errors, please engage Cisco TAC support to troubleshoot. We would need enable TRACE on ISE AD component(s), repeat the failing use case, and analyze the logs.

0 Helpful

pgiouvanellis
Level 1
Level 1
In response to hslai

‎05-15-2019 04:39 AM

the issue is that i can see auth success for some users from the specific domain and failed with the above error from other users in the same domain .

 

We have connected ISE with 3 domain , which have zero trust between them .

 

And the weird is that we get and failed and success authentication , the failed authentication are coming with error : 

 

24711 Domain controller cannot pass request through the trust path to the account domain.

 

Thank you.

Palaiologos

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to pgiouvanellis

‎05-15-2019 05:14 AM

Please engage TAC. Just a wild guess... ISE computer account in AD might not have enough permissions to authenticate the failing users.

0 Helpful

pgiouvanellis
Level 1
Level 1
In response to hslai

‎05-15-2019 05:26 AM

I Do not believe is the account since we have success authentications ton the same Domain Controller .

 

Maybe i did not explain well the isuue .

 

We have configured ISE to join for example domain.cisco.com  and successfully joined .

Now we start getting authentication success from users and the same time get failures from other users with error 

24711 Domain controller cannot pass request through the trust path to the account domain to the same controller .

 

Also we have joined ISE to 2 other domain controllers for example domain2.test.com and domain3.test2.com and works normally .

 

The domain controller have zero trust (no two-way , no one-way ) between them .

 

So i believe the setup is ok.

 

Is there anyway to find which Domain Controller the specific auth account hit ...??

 

Thank You,

Palaiologos 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to pgiouvanellis

‎05-17-2019 07:23 PM

If you would like to check it yourself, then go to Administration > System > Logging > Debug Log Configuration > [Pick an ISE PSN node with least load] > Active Directory. Change this logging level to TRACE. Go to Administration > Identity Management > External Identity Sources > Active Directory > [AD Join Point with the issue], select the ISE node and select [ Test User ]. Enter the credentials of the users with this issue. Once done, download the ad_agent.log file(s) at Operations > Troubleshoot > Download Logs > [ ISE PSN node ] > Debug Logs.

If you need help, please open a TAC case, as I already asked earlier.

0 Helpful
Customers Also Viewed These Support Documents