12-15-2021 09:23 AM
Hi,
I'm testing ISE 3.0, and I get this error:
Error Description: A service is not available that is required to process the request
Support Details...
Error Name: LW_ERROR_KRB5KDC_ERR_SVC_UNAVAILABLE
Error Code: 41759
Detailed Log:
13:14:57 Joining to domain HOME.LAB using user administrator@home.lab
13:14:57 Searching for DC in domain HOME.LAB
13:14:57 Found DC: srv.home.lab , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
13:14:57 Checking credentials for user administrator@home.lab
13:14:57 Getting TGT for account administrator@HOME.LAB
ISE & AD-DNS are with the same NTP, my AD have the FW turn off.
I get the same error if I use administrator or administrator@home.lab
12-15-2021 10:09 AM
- This setup requires full cldap allowed communications ,make sure no firewalls somewhere are blocking that
M.
12-15-2021 10:11 AM
The lab, don't have FW, ACL, etc.
12-15-2021 12:50 PM
What version of Windows Server? I am no Windows expert but I have had luck with Windows 2012 and Windows 2019 Server Essentials. Each time I add the Domain Controller Role to the Server and run through the wizard - from memory I just accept all the defaults. I also ensure that DNS is working and resolving correctly. NTP is a bit of a hack job (registry etc) and I had to google around to make that work. When it came time to join ISE to the AD domain it worked first time. Perhaps have a look at the AD Role settings again to make sure it's all good.
12-15-2021 01:30 PM
Hi Arne,
My server is 2019 Standard, have enabled the Global catalog. Firewall OFF.
My NTP is a router, I verified the ISE and AD are in sync with the RT and have the same clock.
I add manually the ise in the computers ou in the AD.
But not works, I get the same error msg
12-15-2021 06:01 PM
Sounds like the Domain Controller is not well or something got messed up during the Add Roles.
ISE seems to think the KDC service is not running - have you checked that?
That's where my understanding of Windows Server ends ... if I were you I would rebuild my AD Server and see if that fixes it.
12-15-2021 06:07 PM
yes is running, but i restart and tried to join and get the same error code.
im tried join with LDAP and work, delete the LDAP and try newly with AD and not work
12-15-2021 07:02 PM
Are you able to resolve the DNS SRV records for your AD domain?
C:\Users\Administrator>nslookup Default Server: UnKnown Address: ::1 > set type=all > _ldap._tcp.networks.lab.net Server: UnKnown Address: ::1 _ldap._tcp.networks.lab.net SRV service location: priority = 0 weight = 100 port = 389 svr hostname = WIN-AD-02.networks.lab.net _ldap._tcp.networks.lab.net SRV service location: priority = 0 weight = 100 port = 389 svr hostname = WIN-AD-01.networks.lab.net WIN-AD-02.networks.lab.net internet address = 10.48.148.12 WIN-AD-01.networks.lab.net internet address = 10.48.148.11 >
12-15-2021 07:07 PM
Yes, it's working.
C:\Users\Administrator>nslookup Default Server: localhost Address: 127.0.0.1 > set type=all > _ldap._tcp.home.lab Server: localhost Address: 127.0.0.1 _ldap._tcp.home.lab SRV service location: priority = 0 weight = 100 port = 389 svr hostname = srv.home.lab srv.home.lab internet address = 192.168.90.10 srv.home.lab AAAA IPv6 address = fec0::957c:1cf2:2d78:a82f >
12-19-2021 06:13 PM
I would suggest the following:
Error joining ISE to AD domain has a good write-up the ISE AD join process.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide