Solved: ISE AD service account password expiry

firestartest · ‎10-10-2018

An AD account with privileges is required to join ISE to a domain as per the documentation, that is easy to sort out. But what happens if the account has a password policy set to renew every 30 days? Is the AD account no longer used after the join operation because machine accounts have been created, so therefore expiring AD accounts wouldn't be an issue? Is it the machine accounts that allow for the domain lookups during authentication or is it still the AD user account that is used?

anthonylofreso · ‎10-10-2018

The AD account is only used during the join process. Just as if you were joining a windows workstation to the domain.

View solution in original post

anthonylofreso · ‎10-10-2018

The AD account is only used during the join process. Just as if you were joining a windows workstation to the domain.

Arne Bier · ‎10-10-2018

yes that's the general rule and that is why the password is not stored when you join the AD. But that is just one scenario. The reason that there is an option to store the password is because this is needed in the case where Profiling is enabled for AD Probing. In that case you need to store the password.

It's generally best practice to create service accounts in AD that are restricted to a specific purpose - and most importantly, nort subjected to password expiration :-)

firestartest · ‎10-10-2018

Thanks. That's the problem I have, the customer has strict password expiry policies for all AD accounts which mean passwords need changing every 30 days!