cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

658
Views
15
Helpful
6
Replies
Sevion
Beginner

ISE can not join AD Domain

Hello guy, 

A weird issue occurred to us when we were trying to join ISE to the domain. We have 2 nodes (VM version 2.7 patch 4) to join the domain. After entering the correct username and password of the domain administrator, our nodes failed to join it. I'm sure that the name server is correct. The error code was 5. Here are parts of the content of the log. 

 

 

2021-07-22 17:27:10,095 DEBUG ,139885544687360,Status: STATUS_ACCESS_DENIED = 0xC0000022 (-1073741790),RdrDfsConnectAttempt(),lwio/server/rdr/dfs.c:536
2021-07-22 17:27:10,095 DEBUG ,139885544687360,Status: STATUS_ACCESS_DENIED = 0xC0000022 (-1073741790),RdrDfsTreeConnectComplete(),lwio/server/rdr/dfs.c:599
2021-07-22 17:27:10,095 DEBUG ,139885544687360,Continuing context 0x7f38f8072990,RdrContinueContext(),lwio/server/rdr/driver.c:561
2021-07-22 17:27:10,095 DEBUG ,139885544687360,Status: STATUS_ACCESS_DENIED = 0xC0000022 (-1073741790),RdrCreateTreeConnectComplete(),lwio/server/rdr/create.c:143
2021-07-22 17:27:10,095 DEBUG ,139885544687360,Freed op context 0x7f38f8072990,RdrFreeContext(),lwio/server/rdr/driver.c:527
2021-07-22 17:27:10,095 DEBUG ,139885544687360,Freed op context 0x7f38f80725b0,RdrFreeContext(),lwio/server/rdr/driver.c:527
2021-07-22 17:27:10,095 DEBUG ,139885306394368,LEAVE_IF: -> 0xc0000022 (STATUS_ACCESS_DENIED) (EE = 0),LwNtCreateFile(),lwio/client/ntfileapictx.c:597
2021-07-22 17:27:10,095 DEBUG ,139885306394368,Converted DCERPC code 0x16c9a0e2 to NTSTATUS 0xc0000022,LsaOpenPolicy2(),lsass/client/rpc/lsa/lsa_openpolicy2.c:95
2021-07-22 17:27:10,095 VERBOSE,139885306394368,Error at ../../lsass/client/rpc/lsa/lsa_openpolicy2.c:96 [code: C0000022],LsaOpenPolicy2(),lsass/client/rpc/lsa/lsa_openpolicy2.c:96
2021-07-22 17:27:10,095 VERBOSE,139885306394368,Error at ../../lsass/server/auth-providers/ad-open-provider/join/join.c:763 [code: C0000022],LsaJoinDomainInternal(),lsass/server/auth-providers/ad-open-provider/join/join.c:763
2021-07-22 17:27:10,095 VERBOSE,139885306394368,Error code: 5 (symbol: ERROR_ACCESS_DENIED),LsaJoinDomainUac(),lsass/server/auth-providers/ad-open-provider/join/join.c:553
2021-07-22 17:27:10,095 DEBUG ,139885544687360,krb5: Destroying ccache MEMORY:139882656141768,LwKrb5TraceCallback(),lwadvapi/threaded/lwkrb5.c:1328
2021-07-22 17:27:10,095 DEBUG ,139885306394368,Switched gss krb5 credentials path from <null> to FILE:/tmp/krb5cc_318,LwKrb5SetThreadDefaultCachePath(),lwadvapi/threaded/lwkrb5.c:485
2021-07-22 17:27:10,095 DEBUG ,139885306394368,krb5: Destroying ccache FILE:/tmp/tktF6LvWI,LwKrb5TraceCallback(),lwadvapi/threaded/lwkrb5.c:1328

2021-07-22 17:27:10,095 VERBOSE,139885306394368,Error code: 5 (symbol: ERROR_ACCESS_DENIED),AD_JoinDomain(),lsass/server/auth-providers/ad-open-provider/provider-main.c:2751
2021-07-22 17:27:10,095 DEBUG ,139885306394368,ActionReportStopAction: Ending action JOIN_DOMAIN with result ERROR_ACCESS_DENIED,ActionReportStopAction(),lwadvapi/threaded/actions_reporter/action_reporter.cpp:160
2021-07-22 17:27:10,095 VERBOSE,139885306394368,AD_JoinDomain: sending log :
17:27:10 Joining to domain xxxxxx.com using user administrator
17:27:10 Searching for DC in domain xxxxxx.com
17:27:10 Found DC: 501.xxxxxx.com , client site is xxxx , dc site is xxxx
17:27:10 Checking credentials for user administrator
17:27:10 Getting TGT for account administrator@xxxxxx.com
17:27:10 TGT for account administrator@xxxxxx.com was retrieved successfully
17:27:10 Credentials for user administrator were verified
17:27:10 Searching for DC in domain xxxxxx.com
17:27:10 Found DC: 503.xxxxxx.com , client site is xxxx , dc site is xxxx

,AD_JoinDomain(),lsass/server/auth-providers/ad-open-provider/provider-main.c:2792
2021-07-22 17:27:10,095 VERBOSE,139885306394368,AD_JoinDomain: returned error 0,AD_JoinDomain(),lsass/server/auth-providers/ad-open-provider/provider-main.c:2793
2021-07-22 17:27:10,095 VERBOSE,139885306394368,AD_JoinDomain: free sActionReport=0x7f38f8078e20 , sActionReportSize=705,AD_JoinDomain(),lsass/server/auth-providers/ad-open-provider/provider-main.c:2827

 

Have you guys faced the same problems? 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

The bug referenced below can be found at the following link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23542

 

View solution in original post

6 REPLIES 6
Mike.Cifelli
VIP Advocate

I would start with ensuring that all requirements and ports are opened/met.  See: Active Directory Integration with Cisco ISE 2.x - Cisco

A few other items to note:

-Try using the AD diagnostic tool on ISE side to see if that sheds additional light

-Check any local AD side security software to ensure ISE is allowed to communicate with AD on the respective ports.  

balaji.bandi
VIP Master

MHM Cisco World
Collaborator

gggg.png

Hello sir,

Could you share the link?

The bug referenced below can be found at the following link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23542

 

View solution in original post

Thank you!

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel