cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1647
Views
10
Helpful
6
Replies
janusbarinan
Beginner

Error joining ISE to AD domain

I get an error when joining ISE to domain. Here is the error message:

 

Status: Joining Operation Failed: A service is not available that is required to process the request.

 

Error Name: LW_ERROR_KRB5KDC_ERR_SVC_UNAVAILABLE

ErrorCode: 41759

 

It searches for a DC in the domain. Finds a domain controller. Checks the credentials. Gets the TGT for the account. Then goes back again searching for another domain controller. This goes on and on.

 

What could  be the problem? There is nothing wrong with our domain controller.

1 ACCEPTED SOLUTION

Accepted Solutions
janusbarinan
Beginner

Thank you guys all for the support.

The solution I got was that cldap was not allowed in one of the firewalls.

Once it was allowed it all went well.

View solution in original post

6 REPLIES 6
marce1000
VIP Advisor

 

           - What version of ISE is  this ?

 M.

it's 2.7

Damien Miller
VIP Advisor

Have you done a pcap of the node while trying to join. It can reveal quite a bit more information including the records it's getting back in DNS for the AD service hosts. ISE has a rw DC available to it, not a RODC? 

ISE integration with Active Directory(AD)

ISE will use LDAP, KRB, and MSRBC to communicate with AD during the join/leave and authentication process. You will find in the next sections the protocols, searching format and the mechanism used to connect to a specific DC on AD and authenticating the users against that DC. In case the DC become offline for any reason ISE will failover to the next available DC and the authentication process will not be affected.

 

Join ISE to AD

Prerequisites for Integrating Active Directory and ISE

  1. Ensure you have the privileges of a Super Admin or System Admin in ISE.
  2. Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco server and Active Directory. The maximum allowed time difference between ISE and AD is 5 minutes
  3. The configured DNS on ISE must be able to answer SRV queries for DCs, GCs, and KDCs with or without additional Site information.

Note: A Global Catalog server (GC) is a domain controller that stores copies of all Active Directory objects in the forest. It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains. Thus, the Global Catalog allows users and applications to find objects in any domain of the current forest by searching for attributes included to GC. The Global Catalog contains a basic (but incomplete) set of attributes for each forest object in each domain (Partial Attribute Set, PAT). The GC receives data from all the domain directory partitions in the forest, they are copied using the standard AD replication service. for more information you can check  https://theitbros.com/global-catalog-active-directory/

  1. Ensure that all the DNS servers can answer forward and reverse DNS queries for any possible Active Directory DNS domain you want to use.
  2. AD must have at least one global catalog server operational and accessible by Cisco, in the domain to which you are joining Cisco.

Join AD domain

First ISE will apply Domain Discovery to get information about the join domain in three phases:

  1. Queries joined domains—Discovers domains from its forest and domains externally trusted to the joined domain.
  2. Queries root domains in its forest—Establishes trust with the forest.
  3. Queries root domains in trusted forests—Discovers domains from the trusted forests.
  4. Additionally, Cisco ISE discovers DNS domain names (UPN suffixes), alternative UPN suffixes and NTLM domain names.

Then ISE will apply a DC discovery to get all information about the available DCs and GCs, and proceed as below:

  1. The join process will be started by entering the credentials of super admin on AD that exist in the domain itself. If it exists in a different domain or subdomain, the username should be noted in a UPN notation (username@domain).
  2. ISE will send a DNS query asking for all DCs, GCs and KDCs records if DNS reply did not have one of them in its answer then the integration will be failed with DNS related error.
  3. ISE will use the CLDAP ping to discover all DCs and GCs by sending a CLDAP requests to the DCs according to their priorities in the SRV record; the first DC response will be used, and ISE will be connected to that DC. One of the factor that used to calculate the DC priority is the time taken by the DC to response to CLDAP pings; a faster response will get a higher priority.

Note: CLDAP is the mechanism that ISE uses to establish and maintain connectivity with the DCs.  It measures the response time until the first DC answer. It fails if you see no answer from DC. Warn if response time is bigger than 2.5 seconds. CLDAP ping all DC's in site (If no site then all DC's in domain). The CLDAP response contains DC site and Client site (e.g. site to which ISE machine is assigned).

  1. Then ISE will get TGT with 'join user' credentials.
  2. Generate ISE machine account name using MSRPC. (SAM and SPN)
  3. Search AD by SPN if ISE machine account is already existing (e.g pre-created), if ISE machine does not exist yet ISE will create a new one (you can find brief description about the SPN and SAM in the upcoming section).
  4. Open Machine account, set ISE machine account password, and verify ISE machine account is accessible.
  5. Set ISE machine account attributes (eg. SPN, dnsHostname, etc.).
  6. Get TGT with ISE machine credentials using KRB5 and discover all trusted domains.
  7. When the join is complete, ISE node will update its AD groups and corresponding SIDS and automatically will start the SID update process. You must ensure that this process can complete on the AD side.

The account to join ISE node to domain must have the rights to join computer to a domain? If this account is needed will this be just one time (temporary for joining) or permanent?

In number 7 you mention "Open machine account...", is this done in Active Directory? and how to verify ISE machine account is accessible?

In number 8 how to set the machine SPN?

In number 9 "Get TGT with ISE..." how do I do it?

 

Thanks!

 

pblaser
Beginner

I have exact the same problem:

Join Operation Failed: A service is not available that is required to process the request

 

Error Name: LW_ERROR_KRB5KDC_ERR_SVC_UNAVAILABLE
Error Code: 41759

Cisco Identity Services Engine
---------------------------------------------
Version : 3.0.0.458
Build Date : Sat Aug 29 22:51:28 2020
Install Date : Wed Oct 27 17:54:04 2021

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4
Install Date : Thu Oct 28 08:44:28 2021

 

checkd: NTP, DNS, AD rights

 

any Ideas on ISE 3.0P4 for this error?

 

THANK's

Pascal

janusbarinan
Beginner

Thank you guys all for the support.

The solution I got was that cldap was not allowed in one of the firewalls.

Once it was allowed it all went well.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube