03-26-2021 08:38 AM
I get an error when joining ISE to domain. Here is the error message:
Status: Joining Operation Failed: A service is not available that is required to process the request.
Error Name: LW_ERROR_KRB5KDC_ERR_SVC_UNAVAILABLE
ErrorCode: 41759
It searches for a DC in the domain. Finds a domain controller. Checks the credentials. Gets the TGT for the account. Then goes back again searching for another domain controller. This goes on and on.
What could be the problem? There is nothing wrong with our domain controller.
Solved! Go to Solution.
11-18-2021 11:10 PM
Thank you guys all for the support.
The solution I got was that cldap was not allowed in one of the firewalls.
Once it was allowed it all went well.
03-26-2021 08:53 AM
- What version of ISE is this ?
M.
03-28-2021 07:06 PM
it's 2.7
03-27-2021 04:39 PM
Have you done a pcap of the node while trying to join. It can reveal quite a bit more information including the records it's getting back in DNS for the AD service hosts. ISE has a rw DC available to it, not a RODC?
ISE will use LDAP, KRB, and MSRBC to communicate with AD during the join/leave and authentication process. You will find in the next sections the protocols, searching format and the mechanism used to connect to a specific DC on AD and authenticating the users against that DC. In case the DC become offline for any reason ISE will failover to the next available DC and the authentication process will not be affected.
Prerequisites for Integrating Active Directory and ISE
Note: A Global Catalog server (GC) is a domain controller that stores copies of all Active Directory objects in the forest. It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains. Thus, the Global Catalog allows users and applications to find objects in any domain of the current forest by searching for attributes included to GC. The Global Catalog contains a basic (but incomplete) set of attributes for each forest object in each domain (Partial Attribute Set, PAT). The GC receives data from all the domain directory partitions in the forest, they are copied using the standard AD replication service. for more information you can check https://theitbros.com/global-catalog-active-directory/
First ISE will apply Domain Discovery to get information about the join domain in three phases:
Then ISE will apply a DC discovery to get all information about the available DCs and GCs, and proceed as below:
Note: CLDAP is the mechanism that ISE uses to establish and maintain connectivity with the DCs. It measures the response time until the first DC answer. It fails if you see no answer from DC. Warn if response time is bigger than 2.5 seconds. CLDAP ping all DC's in site (If no site then all DC's in domain). The CLDAP response contains DC site and Client site (e.g. site to which ISE machine is assigned).
03-28-2021 09:14 AM
The account to join ISE node to domain must have the rights to join computer to a domain? If this account is needed will this be just one time (temporary for joining) or permanent?
In number 7 you mention "Open machine account...", is this done in Active Directory? and how to verify ISE machine account is accessible?
In number 8 how to set the machine SPN?
In number 9 "Get TGT with ISE..." how do I do it?
Thanks!
11-18-2021 10:51 PM
I have exact the same problem:
Join Operation Failed: A service is not available that is required to process the request
Error Name: LW_ERROR_KRB5KDC_ERR_SVC_UNAVAILABLE
Error Code: 41759
Cisco Identity Services Engine
---------------------------------------------
Version : 3.0.0.458
Build Date : Sat Aug 29 22:51:28 2020
Install Date : Wed Oct 27 17:54:04 2021
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4
Install Date : Thu Oct 28 08:44:28 2021
checkd: NTP, DNS, AD rights
any Ideas on ISE 3.0P4 for this error?
THANK's
Pascal
11-18-2021 11:10 PM
Thank you guys all for the support.
The solution I got was that cldap was not allowed in one of the firewalls.
Once it was allowed it all went well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide