Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
225
Views
1
Helpful
2
Replies

ISE 3 cannot join in AD

mmots
Level 1
Level 1

‎10-10-2025 05:40 AM

 

Hi, we are testing ISE 3.5. We aren't able to join to AD , on tcp dump we found that the join stop at: 

271 1.817231 10.0.10.10 10.0.10.15 SAMR 166 ChangePasswordUser2 response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED

We use 2 DC controller with WS2025. Such last try, we add the join user to "domain admin". We try also to grand FULL CONTROL to the user, delete the machine, reset ISE to factory default but the join still fail. Before this packet, there are a lot of other SAMR successfully exchange between ISE and DC. This is the join log (machine existing during this join) 

Error Description: Access is denied

Support Details...
Error Name: ERROR_ACCESS_DENIED
Error Code: 5

Detailed Log:
14:37:09 Joining to domain ITTS.mydomain.COM using user ise_join_svc@itts.mydomain.com
14:37:09 Searching for DC in domain ITTS.mydomain.COM
14:37:09 Found DC: Dcmydomain02.itts.mydomain.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
14:37:09 Checking credentials for user ise_join_svc@itts.mydomain.com
14:37:09 Getting TGT for account ise_join_svc@ITTS.mydomain.COM
14:37:09 TGT for account ise_join_svc@ITTS.mydomain.COM was retrieved successfully
14:37:09 Credentials for user ise_join_svc@itts.mydomain.com were verified
14:37:09 Searching for DC in domain ITTS.mydomain.COM
14:37:09 Found DC: Dcmydomain02.itts.mydomain.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
14:37:09 Generating account name for ISE machine in ITTS.mydomain.COM
14:37:09 Searching for an existing machine account
14:37:09 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/tsmxsvise01.itts.mydomain.com))
14:37:09 Account: tsmxsvise01 was found
14:37:09 ISE Machine account name is : TSMXSVISE01$
14:37:09 Creating machine account TSMXSVISE01$
14:37:09 Connecting to AD using DC Dcmydomain02.itts.mydomain.com
14:37:09 Connection to Dcmydomain02.itts.mydomain.com established
14:37:09 Opening domain mydomain
14:37:09 Domain mydomain was opened successfully
14:37:09 Machine account: TSMXSVISE01$ already exists , opening account.
14:37:09 Machine account TSMXSVISE01$ was opened successfully
14:37:09 Querying account TSMXSVISE01$ info
14:37:09 Account TSMXSVISE01$ information was retrieved successfully
14:37:09 Enabling machine account : TSMXSVISE01$
14:37:09 Machine account TSMXSVISE01$ was enabled successfully
14:37:09 Setting password for account : TSMXSVISE01$
14:37:09 Password for account: TSMXSVISE01$ was setted successfully
14:37:09 Account TSMXSVISE01$ was created successfully
14:37:09 Verify that machine account: TSMXSVISE01$ is accessable
14:37:09 Searching object by filter : (&(objectClass=computer)(sAMAccountName=TSMXSVISE01$))
14:37:09 Machine account TSMXSVISE01$ is accessable with DN: CN=TSMXSVISE01,OU=ISE_Servers,DC=itts,DC=mydomain,DC=com
14:37:09 Setting attributes to object: CN=TSMXSVISE01,OU=ISE_Servers,DC=itts,DC=mydomain,DC=com
14:37:09 Setting attribute dNSHostName : tsmxsvise01.itts.mydomain.com to object
14:37:09 Attribute dNSHostName : tsmxsvise01.itts.mydomain.com was setted successfully
14:37:09 Setting attribute servicePrincipalName : HOST/tsmxsvise01.itts.mydomain.com to object
14:37:09 Attribute servicePrincipalName : HOST/tsmxsvise01.itts.mydomain.com was setted successfully
14:37:09 Setting attribute servicePrincipalName : HTTP/tsmxsvise01 to object
14:37:09 Attribute servicePrincipalName : HTTP/tsmxsvise01 was setted successfully
14:37:09 Setting attribute operatingSystem : Cisco Identity Services Engine to object
14:37:09 Attribute operatingSystem : Cisco Identity Services Engine was setted successfully
14:37:09 Setting attribute operatingSystemVersion : 3.5.0.527 to object
14:37:09 Attribute operatingSystemVersion : 3.5.0.527 was setted successfully
14:37:09 Setting attribute userAccountControl : 4096 to object
14:37:09 Attribute userAccountControl : 4096 was setted successfully
14:37:09 Setting attribute msDS-SupportedEncryptionTypes : 28 to object
14:37:09 Attribute msDS-SupportedEncryptionTypes : 28 was setted successfully
14:37:09 Attributes was setted successfully

 

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎10-10-2025 05:44 AM - edited ‎10-10-2025 05:48 AM

@mmots have you read the following and made the recommended changes?

Note: Currently, Cisco ISE integration with Microsoft Windows Active Directory 2025 requires configuration changes in the Active Directory Domain Controller. For more information, see CSCwn62873.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html

 

mmots
Level 1
Level 1
In response to Rob Ingram

‎10-10-2025 06:12 AM

Hi, many thanks. We forgotten to change this:  Under the "Options" section, choose "Allow all change password RPC methods."

0 Helpful
Customers Also Viewed These Support Documents