Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2338
Views
0
Helpful
4
Replies

ISE 2.2 - Sponsor Portal Login Error - Internal User NO_SPONSOR_GROUP_MEMBERSHIP

Go to solution
Scott Gillies
Level 1
Level 1

‎01-17-2019 03:39 AM

Hi

First, sorry if this gets confussing but Cisco in their wisdom use the ALL_ACCOUNTS tag for Identity Groups and Sponsor Groups...

 

I think a may have found a bug on ISE2.2 (Patch 7).

 

I have an ISE Internal User account for a Sponsor Administrator for the Sponsor Group ALL_ACCOUNTS. Normal Sponsors manage their OWN_ACCOUNTS and are authenticated via an AD.

 

The account, which did work, was disabled for a while. I re-enabled it and now it no longer works.

 

The Sponsor_Identity_Sequence is Internal Users and AD. Normal Sponsors are working ok.

The Sponsor Administrator account is in the ALL_ACCOUNTS Identity Group.

The Sponsor Group ALL_ACCOUNTS is enabled and has Members ALL_ACCOUNTS identity group.

 

If the user trys to login to the Sponsor Portal with the admin account but wrong password the report shows the authenticating Identity Store as Internal Users (correct) and the error "22040 Wrong password or invalid shared secret" which I assume would be correct.

 

When the user trys to login to the Sponsor Portal with this admin account with the correct password the report shows the authenticating Identity Store as Internal Users (correct)  but they get the error "NO_SPONSOR_GROUP_MEMBERSHIP" even though the account is in the ALL_ACCOUNTS Identity Group which is a member of the ALL_ACCOUNTS Sponsor Group.

 

I have had 3 colleagues look at this and we all agree. We think it is a bug.

We created a second account with the exact same profile and get the same error.

 

Bug? or are we missing something?

 

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-17-2019 04:55 AM

Contact the TAC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-17-2019 04:55 AM

Contact the TAC
0 Helpful

Go to solution
Scott Gillies
Level 1
Level 1
In response to Jason Kunst

‎01-20-2020 06:12 AM - edited ‎01-20-2020 06:35 AM

Hi the resolution was to restart the PSNs.

Hopefully this issue has been fixed.patched in a later version of ISE.

0 Helpful

Go to solution
simolor78
Level 1
Level 1

‎01-20-2020 05:17 AM

I am experiencng the same problem.

How did you solve it ?

 

Thank you

 

Simone

0 Helpful

Go to solution
mariya.telitsina
Level 1
Level 1

‎08-31-2022 10:20 PM

I didn't restart the PSN however I managed to solve this issue with another way. My manually created sponsor account gave the same error because my ALL-ACCOUNTS group uses external authentication base on AD groups. so I tried to make a GET request with my AD account in relevant group and it worked like a charm. Also you should be careful with headers in API request. 

these are mine: -H 'Accept: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml' -H 'Accept-Search-Result: application/vnd.com.cisco.ise.ers.searchresult.2.0+xml'

0 Helpful
Customers Also Viewed These Support Documents