Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3811
Views
5
Helpful
9
Replies

ISE 3.0.0.458 - Error joining ISE to AD domain

KerberosVE
Level 1
Level 1

‎12-15-2021 09:23 AM

Hi,

I'm testing ISE 3.0, and I get this error:

 

Error Description: A service is not available that is required to process the request
Support Details...
Error Name: LW_ERROR_KRB5KDC_ERR_SVC_UNAVAILABLE
Error Code: 41759

Detailed Log:
13:14:57 Joining to domain HOME.LAB using user administrator@home.lab
13:14:57 Searching for DC in domain HOME.LAB
13:14:57 Found DC: srv.home.lab , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
13:14:57 Checking credentials for user administrator@home.lab
13:14:57 Getting TGT for account administrator@HOME.LAB

 

ISE & AD-DNS are with the same NTP, my AD have the FW turn off.

I get the same error if I use administrator or administrator@home.lab

0 Helpful
9 Replies 9

marce1000
VIP
VIP

‎12-15-2021 10:09 AM

 

 - This setup requires full cldap allowed communications ,make sure no firewalls somewhere are blocking that

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

KerberosVE
Level 1
Level 1
In response to marce1000

‎12-15-2021 10:11 AM

The lab, don't have FW, ACL, etc.

0 Helpful

Arne Bier
VIP
VIP
In response to KerberosVE

‎12-15-2021 12:50 PM

What version of Windows Server? I am no Windows expert but I have had luck with Windows 2012 and Windows 2019 Server Essentials. Each time I add the Domain Controller Role to the Server and run through the wizard - from memory I just accept all the defaults. I also ensure that DNS is working and resolving correctly. NTP is a bit of a hack job (registry etc) and I had to google around to make that work. When it came time to join ISE to the AD domain it worked first time.  Perhaps have a look at the AD Role settings again to make sure it's all good.

0 Helpful

KerberosVE
Level 1
Level 1
In response to Arne Bier

‎12-15-2021 01:30 PM

Hi Arne,

My server is 2019 Standard, have enabled the Global catalog. Firewall OFF.

My NTP is a router, I verified the ISE and AD are in sync with the RT and have the same clock.

I add manually the ise in the computers ou in the AD.

But not works, I get the same error msg

0 Helpful

Arne Bier
VIP
VIP
In response to KerberosVE

‎12-15-2021 06:01 PM

Sounds like the Domain Controller is not well or something got messed up during the Add Roles.

 

ISE seems to think the KDC service is not running - have you checked that?  

 

That's where my understanding of Windows Server ends ... if I were you I would rebuild my AD Server and see if that fixes it.

 

KDC.PNG

0 Helpful

KerberosVE
Level 1
Level 1
In response to Arne Bier

‎12-15-2021 06:07 PM

yes is running, but i restart and tried to join and get the same error code.

im tried join with LDAP and work, delete the LDAP and try newly with AD and not work

0 Helpful

Arne Bier
VIP
VIP
In response to KerberosVE

‎12-15-2021 07:02 PM

Are you able to resolve the DNS SRV records for your AD domain?

 

C:\Users\Administrator>nslookup
Default Server:  UnKnown
Address:  ::1

> set type=all
> _ldap._tcp.networks.lab.net
Server:  UnKnown
Address:  ::1

_ldap._tcp.networks.lab.net   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = WIN-AD-02.networks.lab.net
_ldap._tcp.networks.lab.net   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = WIN-AD-01.networks.lab.net
WIN-AD-02.networks.lab.net    internet address = 10.48.148.12
WIN-AD-01.networks.lab.net    internet address = 10.48.148.11
>
0 Helpful

KerberosVE
Level 1
Level 1
In response to Arne Bier

‎12-15-2021 07:07 PM

Yes, it's working.

C:\Users\Administrator>nslookup
Default Server:  localhost
Address:  127.0.0.1

> set type=all
> _ldap._tcp.home.lab
Server:  localhost
Address:  127.0.0.1

_ldap._tcp.home.lab     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srv.home.lab
srv.home.lab    internet address = 192.168.90.10
srv.home.lab    AAAA IPv6 address = fec0::957c:1cf2:2d78:a82f
>
0 Helpful

hslai
Cisco Employee
Cisco Employee

‎12-19-2021 06:13 PM

I would suggest the following:

  • On the Active Directory server, run dcdiag for a health check.
  • On the Active Directory server, run the event viewer app and check security logs for Kerberos events; esp., 4768: A Kerberos authentication ticket (TGT) was requested.
  • On the ISE, turn TRACE on Active Directory component. Also, perform a network packet capture between the ISE and the AD. Re-try the join and check the capture and ISE debug log ad_agent.log

Error joining ISE to AD domain has a good write-up the ISE AD join process.

Customers Also Viewed These Support Documents