Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10974
Views
0
Helpful
4
Replies

CISCO ISE and MS ad event id 4776 troubleshooting

Go to solution
anuclear
Level 1
Level 1

‎05-16-2018 01:43 AM - edited ‎02-21-2020 10:56 AM

Good day dears,

 

This case was asked from vendors' support teams twice, with no adequate outcomes (no ms or ise related issue;). The last hope is for community.

 

I perform an investigation of the following event from domain controller(##### data has been obfuscated ####):

 

Security_4776_Microsoft-Windows-Security-Auditing: Security,rn=xxxxx cid=xxxxx eid=648,#####Event Date#####,4776,Microsoft-Windows-Security-Auditing,,Audit Failure,#####domain name#####,Credential Validation,,The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: #####username@domain.name##### Source Workstation: \\#####ISE Server Name##### Error Code: 0xC0000064

 

The user does exist in a domain.

There are no failures according to ms event on ISE Server.

 

Is it possible to track the source of authentication? If yes, how can I do that?

 

Thank you in advance!

 

6 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Oraclese

‎10-21-2018 04:21 AM

CSCvf45991 is an enhancement filed for ISE for some potential workaround fix. But, this is how DC works by first trying the local DB before reaching out to the real AD. We would suggest to ignore the false failures.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
anuclear
Level 1
Level 1

‎05-16-2018 09:50 PM

Any thoughts? Suggestions?

0 Helpful

Go to solution
mike
Level 4
Level 4
In response to anuclear

‎06-15-2018 01:31 PM

Let me know if you find something on this.  We're seeing similar issues/events from one of our customers.

 

We're exploring this at this time:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtz15107

 

 

0 Helpful

Go to solution
Oraclese
Level 1
Level 1
In response to mike

‎10-19-2018 03:19 PM

This bug doesn't appear to be the same issue. 

 

We are getting two 4776 events on the DC per ISE user authentication, every time - one success, one failure with error code

0xC0000064 (username does not exist).

 

We are using MS-RPC (as recommended), vs. Kerberos.

 

I've seen another thread on technet that identifies that MS-RPC may be the issue, but our network admins are hesitant to change as the CISCO build docs recommend MS-RPC.

 

Here's that TechNet thread:

 

https://social.technet.microsoft.com/Forums/en-US/d2869c14-a0e8-4084-b555-6172cd9c703a/cisco-ise-and-ad-authentication?forum=winserverDS

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Oraclese

‎10-21-2018 04:21 AM

CSCvf45991 is an enhancement filed for ISE for some potential workaround fix. But, this is how DC works by first trying the local DB before reaching out to the real AD. We would suggest to ignore the false failures.

0 Helpful
Customers Also Viewed These Support Documents