ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS

kostasthedelegate · ‎02-10-2020

Hello,

I have a new ISE deployment with two nodes.

I have a problem with user authentication against Active Directory.

When I try to authenticate a user I get the following error:

24371 The ISE machine account does not have the required privileges to fetch groups. - ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS

24371 The ISE machine account does not have the required privileges to fetch groups. - xxx-xxx

I have tried this solution

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200780-Fix-Active-Directory-group-retrieval-iss.html

but if I am not mistaken is per user, so it is not scalable.

The customer says that the accounts have the required privileges.

Any hint?

Thanks and regards,

Konstantinos

Mike.Cifelli · ‎02-10-2020

I would take a peek here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

kostasthedelegate · ‎02-10-2020

Hello Mike,

Thanks for the answer.
I have informed the customer about the "Active Directory Account Permissions Required to Perform Various Operations"
For the join operation, the account used is definitely correct. I have already sent to the customer the "Cisco ISE Machine Accounts" permissions in order to double-check.

avinash4567 · ‎08-14-2020

Try this fix to reset the computer account permissions:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200349-ISE-1-3-AD-Authentications-Fail-with-Err.html