Cisco ISE integration with AD fails

jallaluddin.shaikh · ‎03-06-2013

Cisco ISE Ver: 1.1.2.145

Windows : Win 2003 Server

I am attempting to integrate ISE with AD, but ISE won't join AD and joining attempts fails, though I am able to add same domain as external LDAP identity store ?

1.user used to join the domain has admin permission on AD

2. ISE resolved the domain correctly

3.There is a firewall inbetween ISE (192.168.100.10) & AD (172.16.100.1), but all the traffic are permited.

4. No NATing taking place, Firewall is forwarding all trafic between ISE & AD

Can't really understand why AD connection fails

From ISE Interface - Detailed Test Connection

Adinfo (CentrifyDC 4.5.0-357)

Host Diagnostics

Uname: Linux Iseadn 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 I686

OS: Linux

Version: 2.6.18-274.17.1.el5PAE

Number Of CPUs: 1

IP Diagnostics

Local Host Name: Iseadn

Local IP Address: 192.168.100.10

FQDN Host Name:iseadn.gnet.cp

Domain Diagnostics

Domain: Gnet.cp

Subnet Site: Default-first-site-name

DNS Query For: _ldap._tcp.gnet.cp

Found SRV Records:

Gnet.cp:389

Testing Active Directory Connectivity:

Domain Controller: Gnet.cp

Ldap: 389/tcp - Good

Ldap: 389/udp - Good

Smb: 445/tcp - Good

Kdc: 88/tcp - Good

Kpasswd: 464/tcp - Good

Ntp: 123/udp - Good

Domain Controller: Gnet.cp:389

Domain Controller Type: Windows 2003

Domain Name: GNET.CP

IsGlobalCatalogReady: TRUE

DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

ForestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)

DomainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

Forest Name: GNET.CP

DNS Query For: _gc._tcp.GNET.CP

Testing Active Directory Connectivity:

Forest Name: GNET.CP

Kerberos Error: Rc=-1765328377 SASL Bind To Ldap/gnet.cp@GNET.CP - GSSAPI Mechanism With Kerberos Error : Server Not Found In Kerberos Database

Computer Account Diagnostics

Not Joined To Any Domain

System Diagnostic

Not Joined To Any Domain

Centrify DirectControl Status

Not Joined To Any Domain

Licensed Features: Enabled

SELinux Status: Disabled

Amavis1.1.0

Ccs1.0.0

Clamav1.1.0

Dcc1.1.0

Dnsmasq1.1.1

Evolution1.1.0

Ipsec1.4.0

Iscsid1.0.0

Milter1.0.0

Mozilla1.1.0

Mplayer1.1.0

Nagios1.1.0

Oddjob1.0.1

Pcscd1.0.0

Postgrey1.1.0

Prelude1.0.0

Pyzor1.1.0

Qemu1.1.2

Razor1.1.0

Ricci1.0.0

Smartmon1.1.0

Spamassassin1.9.0

Virt1.0.0

Zosremote1.0.0

From Ad-agent log

ahmohamm · ‎03-11-2013

Hi Jalaluddin,

please open a TAC case if the issue still persists.

thanks

raghu_centrify · ‎03-11-2013

Hi Jallaluddin

I work for Centrify Support and saw your posting. Here our analysis on checking the adlogs.txt.zip:

Server not found in Kerberos database" (reference base/adbind.cpp:495 rc: -1765328377)

That error is likely coming from the KDC - meaning there is some problem with server side SPNs

We need the following:

1) A network trace.

2) adcheck output.

3) adinfo --support output

4) Run dcdiag or netdiag on the server side.

Also we partner with Cisco and so would it possible to work with your partners and I am pretty sure they have seen this before with DC issues etc. Can you please work with them and see?. TIA

Best Regards

Raghu Srinivasan

Ravi Singh · ‎07-10-2013

Hello Jallaluddin,

Please do the following.

Run Detailed test connection, send the output
Check the name servers on CARS CLI
Set ad diagnositc debug to full, perfrom a leave, wait 5 mins to ensure replication or removal of machie account from AD, perform a join, and download the ad_agent.log for investigation.