06-27-2012 07:58 AM - edited 03-10-2019 07:14 PM
Hello,
we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.
This is the setup:
In domain1 is a MSFT CA with OCSP, DC and ISE
In domain2 is a DC and the users
there is a two way trust between the domains.
This is my authentication scenario:
1. agent connect to a wireless network (ok)
2. client exchanges certificate information with ISE (ok)
3. ISE exchanges certificate status with CA (ok)
4. ISE extracts the subject Alternative Name from the certificate dersa@domain2.ch (ok)
5. ISE queries Active Directory store for the user dersa@domain2.ch (not ok fails with 22056 Subject not found)
in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.
I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.
Any Ideas?
Regards
Alex
Extract from Log File
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person
options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:
:
type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
sAMAccountName=dersa@domain2.ch
)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
sAMAccountName=dersa@domain2.ch
))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
sAMAccountName=dersa@domain2.ch
)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
sAMAccountName=dersa@domain2.ch
))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="
" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper
is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person name=dersa@domain2.ch options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: dersa@domain2.ch#012name: dersa@domain2.ch type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="dersa@domain2.ch" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper 'dersa@domain2.ch' is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete
06-27-2012 10:35 AM
I was now able to query user attributes from domain2, i had to provide the username in this format domain2\username. I believe this is the problem i am sending the username in the wrong format. If i would be able to modify the format from username@domain.ch to domain\username everything would be fine.
regards
alex
06-27-2012 10:45 AM
Alex,
We need to see if the dns server is able to resolve the domain2, if you issue a nslookup for domain2 what do you show, do you receive any responses? I would start there and see what that turns up. Also what type of trust do you have enabled between domain1 and domain2, ISE uses kerberos to authenticate these users so we need to see if you have an external trust configured between these domains then authentication will fail since kerberos is not allowed. Please use a forest trust which allows kerberos and that should fix your issue.
If you were using acs 4.2 at one point then it would have worked because that uses ntlm auth.
Here is an article for reference:
http://setspn.blogspot.com/2009/09/ad-external-trusts-and-kerberos.html
Thanks,
Tarik Admani
06-27-2012 10:54 AM
Hello Tarik,
the trust type is forest Trust. As i mentioned, i was able to retrieve user attributes when i do it in the active directory configuration procedure. What matters at the moment is the format of the username. I have to send it as domai\username. But i can't achieve this with Binary Certificate Comparisation.
regards
alex
06-27-2012 11:05 AM
Alex,
It looks like ISE is unable to contact the GC for domain2, are you able to resolve domain2? In the case you are able to resolve the name using netbios, now when you upn (xxx@xxx.xx) that requires dns to be operational since it looks up the dns domain and then sends the user request to the domain GC, my assumption is when you netbios it sends the request to domain1's GC and then it is able to authenticate the user through the trust. I am not an AD expert but I am assuming that is why one is working over the other.
When issue a dns query on the ISE cli for domain2 do you receive any GC's in the response?
Thanks
tarik admani
06-27-2012 11:17 AM
Tarik,
from the ISE cli i can nslookup domain2.lan and i get this result
nos-ch-wbn-ise1/admin# nslookup domain2.lan
Trying "domain2.lan"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5
;; QUESTION SECTION:
;domain2.lan. IN ANY
;; ANSWER SECTION:
domain2.lan. 600 IN A 192.168.68.21
domain2.lan. 600 IN A 172.28.1.3
domain2.lan. 600 IN A 172.28.1.2
domain2.lan. 600 IN A 192.168.68.20
domain2.lan. 3600 IN NS labdc01.lab.lan.
domain2.lan. 3600 IN NS labdc02.lab.lan.
domain2.lan. 3600 IN NS labex01.lab.lan.
domain2.lan. 3600 IN NS bsdehepdc01.domain2.lan.
domain2.lan. 3600 IN NS bsdehepfs01.domain2.lan.
domain2.lan. 3600 IN NS mordor.softlink.ch.
domain2.lan. 3600 IN NS shire.softlink.ch.
domain2.lan. 3600 IN NS labex02.lab.lan.
domain2.lan. 3600 IN NS icm60.icm60domain.lan.
domain2.lan. 3600 IN NS bsfs02.domain2.lan.
domain2.lan. 3600 IN NS bsfs03.domain2.lan.
domain2.lan. 3600 IN SOA bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600
;; ADDITIONAL SECTION:
labdc01.lab.lan. 3600 IN A 172.28.2.196
bsdehepdc01.domain2.lan. 311 IN A 192.168.68.20
bsdehepfs01.domain2.lan. 2771 IN A 192.168.68.21
bsfs02.domain2.lan. 1649 IN A 172.28.1.2
bsfs03.domain2.lan. 595 IN A 172.28.1.3
So i assume dns is working fine.
Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?
thanks & regards
Alex
06-27-2012 11:27 AM
The best thing at this point is to open a SR with TAC since the nslookup commands wont allow you to look for GCs through the cli.
if you are looking for a quick solution what you can do is configure the second domain as an ldap instance since you are using eap-tls. Then you can create and identity store sequence that will check AD then LDAP.
I did notice the following replies:
domain2.lan. 3600 IN NS mordor.softlink.ch.
domain2.lan. 3600 IN NS shire.softlink.ch.
I dont know why these servers are being sent in the response.
Thanks,
Tarik Admani
06-27-2012 11:34 AM
Hello Tarik,
those are external servers from our provider, i have to verify with them why this is like it is. At the moment i have multiple ldap in the production environment with my ACS.
I don't if i can open tac cases with eval versions.
i'll try
regards
Alex
06-30-2012 08:35 PM
Alex,
We're you able to get the DNS info cleaned up.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide