Hi Folks,

I noticed after applying Patch 1 to ISE 2.2 that none of AD authentications were working.  The message was "22056 Subject not found in the applicable identity store(s)".  Here are the logs.  Notice that even though ISE detected a matching account in the AD join point, it still went on to the next identity store.

11001     Received RADIUS Access-Request

      11017     RADIUS created a new session

      11117     Generated a new session ID

      15049     Evaluating Policy Group

      15008     Evaluating Service Selection Policy

      15048     Queried PIP - Network Access.NetworkDeviceName

      15048     Queried PIP - Radius.NAS-Port-Id

      15048     Queried PIP - Radius.NAS-Port-Type

      15004     Matched rule - PAP_ASCII_ASYNC

      15041     Evaluating Identity Policy

      15006     Matched Default Rule

      22072     Selected identity source sequence - AD_LOCAL

      15013     Selected Identity Source - AD1

      24430     Authenticating user against Active Directory - AD1

      24325     Resolving identity - ise_ad

      24313     Search for matching accounts at join point - demo.local

      24319     Single matching account found in forest - demo.local

      24323     Identity resolution detected single matching account

      24343     RPC Logon request succeeded - ise_ad@demo.local

      15013     Selected Identity Source - Internal Users

      24210     Looking up User in Internal Users IDStore - ise_ad

      24216     The user is not found in the internal users identity store

      22016     Identity sequence completed iterating the IDStores

      22056     Subject not found in the applicable identity store(s)

      22058     The advanced option that is configured for an unknown user is used

      22061     The 'Reject' advanced option is configured in case of a failed authentication request

      11003     Returned RADIUS Access-Reject

I removed Patch 1 and authentication was successful again.  Here are the logs:

      11017     RADIUS created a new session

      11117     Generated a new session ID

      15049     Evaluating Policy Group

      15008     Evaluating Service Selection Policy

      15048     Queried PIP - Network Access.NetworkDeviceName

      15048     Queried PIP - Radius.NAS-Port-Id

      15048     Queried PIP - Radius.NAS-Port-Type

      15004     Matched rule - PAP_ASCII_ASYNC

      15041     Evaluating Identity Policy

      15006     Matched Default Rule

      22072     Selected identity source sequence - AD_LOCAL

      15013     Selected Identity Source - AD1

      24430     Authenticating user against Active Directory - AD1

      24325     Resolving identity - ise_ad

      24313     Search for matching accounts at join point - demo.local

      24319     Single matching account found in forest - demo.local

      24323     Identity resolution detected single matching account

      24343     RPC Logon request succeeded - ise_ad@demo.local

      24402     User authentication against Active Directory succeeded - AD1

      22037     Authentication Passed

      15036     Evaluating Authorization Policy

      24432     Looking up user in Active Directory - AD1

      24355     LDAP fetch succeeded - demo.local

      24416     User's Groups retrieval from Active Directory succeeded - AD1

      15048     Queried PIP - AD1.ExternalGroups

      15048     Queried PIP - Radius.NAS-Port-Type

      15004     Matched rule - DEVICE_ADMIN_AD_SYNC

      15016     Selected Authorization Profile - PERMIT_PRIV15

      22081     Max sessions policy passed

      22080     New accounting session created in Session cache

      11002     Returned RADIUS Access-Accept

Is this a known issue?  Not sure why Patch 1 does not perform user authentication against AD even though the account is recognized.

Thanks in advance.