Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
124
Views
1
Helpful
1
Replies

ISE account password update - PasswordNeverExpires

Go to solution
j-a326
Level 1
Level 1

‎03-06-2025 06:17 AM

After an updating our Windows DC to server 2025 and subsequent downgrade back to server 2022 our ise server (3.3p4) tries and fails to automatically renew it's AD account password starting 15 days after the last (manual) action. The ISE account is set to "PasswordNeverExpires: True". The server is joined to AD and all the diagnostics are OK.


Is there a way to keep ISE from trying? Should we just ignore the warnings or will something bad happen after this goes on for another 15 days (30 days seems the standard interval)? Will any of the "Advanced Tools"/"Advanced Tuning" Options of the ISE Active Directory setup come to help?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-06-2025 12:03 PM

It sounds like you're hitting the security policy issue described here - https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D582B77BB24F

"The Network access: Restrict clients allowed to make remote calls to SAM security policy in Microsoft Active Directory has been revised. Hence, Cisco ISE might not able to update its machine account password every 15 days. If the machine account password is not updated, Cisco ISE will no longer authenticate users through Microsoft Active Directory. You will receive the AD: ISE password update failed alarm on your Cisco ISE dashboard to notify you of this event."

See the link above for more information and the link to the MS documentation for the resolution.

View solution in original post

1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-06-2025 12:03 PM

It sounds like you're hitting the security policy issue described here - https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D582B77BB24F

"The Network access: Restrict clients allowed to make remote calls to SAM security policy in Microsoft Active Directory has been revised. Hence, Cisco ISE might not able to update its machine account password every 15 days. If the machine account password is not updated, Cisco ISE will no longer authenticate users through Microsoft Active Directory. You will receive the AD: ISE password update failed alarm on your Cisco ISE dashboard to notify you of this event."

See the link above for more information and the link to the MS documentation for the resolution.

Customers Also Viewed These Support Documents